We are ingesting syslog data via syslog server and have configured host overriding on the local UF to show host field value as the originating host.
Because we have syslog data from multiple syslog servers, I would like to be able to identify which syslog server is sending what syslog data.
I recall there was a way to configure some metadata field to extract and apply the transform for creating a new host field for intermediate forwarder, but I dont recall how I did it.
Can someone please advise how to do this ?
Hi @dm1
You can use INGEST_EVAL to create index time field in transforms.conf and refer the same in props.conf on HF/indexer.
It works similar to eval, your syslog sever name should be part of one of the deault fields (host, source)/_raw. Refer - transforms.conf - Splunk Documentation
---
An upvote would be appreciated if it helps!
Can you please give an example on how this can be achieved using ingest_eval ?
Hi @dm1
Following should be deployed to HF/indexer. Assuming here your source field having syslog_server_host.. it could be _raw as well.
syslog_server field will be indexed.
# props.conf
[sourcetype_name_here/source::/host::]
TRANSFORM-set_syslogs = index-syslog-host
#transforms.conf
# INGEST_EVAL works same as EVAL
[index-syslog-host]
INGEST_EVAL = syslog_server=mvindex(split(source,"/"),3)
UI version of testing of EVAL.
----
An upvote would be appreciated if it helps!
HI
That method wat @venkatasri proposal works well, but how to implement it to your environment depends on how you are takin those logs in splunk. Are you using directly UDP/TCP port on forwarder or are you reading those on filesystem (as @venkatasri supposed) and his those are divided on FS if they are there.
r. Ismo