Getting Data In

How to create a field to represent intermediate forwarder for Syslog data ?

dm1
Communicator

We are ingesting syslog data via syslog server and have configured host overriding on the local UF to show host field value as the originating host.

Because we have syslog data from multiple syslog servers, I would like to be able to identify which syslog server is sending what syslog data.

I recall there was a way to configure some metadata field to extract and apply the transform for creating a new host field for intermediate forwarder, but I dont recall how I did it.

Can someone please advise how to do this ?

 

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @dm1 

You can use INGEST_EVAL to create index time field in transforms.conf and refer the same in props.conf on HF/indexer. 

It works similar to eval, your syslog sever name should be part of one of the deault fields (host, source)/_raw. Refer - transforms.conf - Splunk Documentation

---

An upvote would be appreciated if it helps!

0 Karma

dm1
Communicator

Can you please give an example on how this can be achieved using ingest_eval ?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @dm1

Following should be deployed to HF/indexer. Assuming here your source field having syslog_server_host.. it could be _raw as well.

syslog_server field will be indexed.

 

# props.conf
[sourcetype_name_here/source::/host::]
TRANSFORM-set_syslogs = index-syslog-host

#transforms.conf
# INGEST_EVAL works same as EVAL
[index-syslog-host]
INGEST_EVAL = syslog_server=mvindex(split(source,"/"),3)

 

 

 

 

UI version of testing of EVAL.

venkatasri_0-1623303680966.png

----

An upvote would be appreciated if it helps!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

HI

That method wat @venkatasri proposal works well, but how to implement it to your environment depends on how you are takin those logs in splunk. Are you using directly UDP/TCP port on forwarder or are you reading those on filesystem (as @venkatasri supposed) and his those are divided on FS if they are there.

r. Ismo

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!