Getting Data In

How to create a field to represent intermediate forwarder for Syslog data ?

dm1
Contributor

We are ingesting syslog data via syslog server and have configured host overriding on the local UF to show host field value as the originating host.

Because we have syslog data from multiple syslog servers, I would like to be able to identify which syslog server is sending what syslog data.

I recall there was a way to configure some metadata field to extract and apply the transform for creating a new host field for intermediate forwarder, but I dont recall how I did it.

Can someone please advise how to do this ?

 

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @dm1 

You can use INGEST_EVAL to create index time field in transforms.conf and refer the same in props.conf on HF/indexer. 

It works similar to eval, your syslog sever name should be part of one of the deault fields (host, source)/_raw. Refer - transforms.conf - Splunk Documentation

---

An upvote would be appreciated if it helps!

0 Karma

dm1
Contributor

Can you please give an example on how this can be achieved using ingest_eval ?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @dm1

Following should be deployed to HF/indexer. Assuming here your source field having syslog_server_host.. it could be _raw as well.

syslog_server field will be indexed.

 

# props.conf
[sourcetype_name_here/source::/host::]
TRANSFORM-set_syslogs = index-syslog-host

#transforms.conf
# INGEST_EVAL works same as EVAL
[index-syslog-host]
INGEST_EVAL = syslog_server=mvindex(split(source,"/"),3)

 

 

 

 

UI version of testing of EVAL.

venkatasri_0-1623303680966.png

----

An upvote would be appreciated if it helps!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

HI

That method wat @venkatasri proposal works well, but how to implement it to your environment depends on how you are takin those logs in splunk. Are you using directly UDP/TCP port on forwarder or are you reading those on filesystem (as @venkatasri supposed) and his those are divided on FS if they are there.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...