Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a field to represent intermediate forwarder for Syslog data ?

dm1
Contributor
‎06-06-2021 06:41 PM

We are ingesting syslog data via syslog server and have configured host overriding on the local UF to show host field value as the originating host.

Because we have syslog data from multiple syslog servers, I would like to be able to identify which syslog server is sending what syslog data.

I recall there was a way to configure some metadata field to extract and apply the transform for creating a new host field for intermediate forwarder, but I dont recall how I did it.

Can someone please advise how to do this ?

 

 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-09-2021 08:32 PM

Hi @dm1 

You can use INGEST_EVAL to create index time field in transforms.conf and refer the same in props.conf on HF/indexer. 

It works similar to eval, your syslog sever name should be part of one of the deault fields (host, source)/_raw. Refer - transforms.conf - Splunk Documentation

---

An upvote would be appreciated if it helps!

0 Karma
Reply

dm1
Contributor
‎06-09-2021 10:27 PM

Can you please give an example on how this can be achieved using ingest_eval ?

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-09-2021 10:42 PM

Hi @dm1

Following should be deployed to HF/indexer. Assuming here your source field having syslog_server_host.. it could be _raw as well.

syslog_server field will be indexed.

 

# props.conf
[sourcetype_name_here/source::/host::]
TRANSFORM-set_syslogs = index-syslog-host

#transforms.conf
# INGEST_EVAL works same as EVAL
[index-syslog-host]
INGEST_EVAL = syslog_server=mvindex(split(source,"/"),3)

 

 

 

 

UI version of testing of EVAL.

venkatasri_0-1623303680966.png

----

An upvote would be appreciated if it helps!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-10-2021 12:36 AM

HI

That method wat @venkatasri proposal works well, but how to implement it to your environment depends on how you are takin those logs in splunk. Are you using directly UDP/TCP port on forwarder or are you reading those on filesystem (as @venkatasri supposed) and his those are divided on FS if they are there.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...