Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to prevent linux_message_syslog input from ove...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
I have an input in linux_message_syslog that seems to be working fine, but the universal forwarder is providing the FQDN of the host back to Splunk. This specific input seems to be overriding the hostname to the one found in the log, which is just the host name and not the FQDN. Any recommendation on how to handle that?
Jan 27 17:50:05 myawesomeserver clamd[23110]: SelfCheck: Database status OK.
so I end up with
host=myawesomeserver AND host=myawesomeserver.domain.local
thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have a look at the following btool command:
splunk btool props list linux_messages_syslog
Here you find a TRANSFORM for the host part:
TRANSFORMS = syslog-host
Using another btool command you will see that the host field (for linux_messages_syslog) is extracted using a regex:
splunk btool props list syslog-host
So to override this I would try to use an empty TRANSFORMS on the host or source as they have higher precedence than the sourcetype linux_messages_syslog.
Example props.conf:
[host::myawesomeserver]
TRANSFORMS =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
check @micahkemp answer from
https://answers.splunk.com/answers/598785/why-are-props-and-transforms-preconfigured-to-sani.html
To disable this transform, you can place this in etc/system/local/props.conf:
[linux_messages_syslog]
TRANSFORMS =
@Raschko answer will only work for specified host "myawesomeserver" as he is applying on host not on sourcetype. If the box is heavy forwarder receiving logs from many nix servers its better to do on HF using sourcetype.
[host::myawesomeserver]
TRANSFORMS =
If this helps, give a like below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would a better answer have been to do the following:
copy $SPLUNK_HOME/etc/system/default/props.conf to $SPLUNK_HOME/etc/system/local/props.conf
replace all instances of syslog-host with syslog-host-full
restart splunk
Also, in transforms.conf, the only blocks that don't have descriptions are.....syslog-host and syslog-host-full. how quaint.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have a look at the following btool command:
splunk btool props list linux_messages_syslog
Here you find a TRANSFORM for the host part:
TRANSFORMS = syslog-host
Using another btool command you will see that the host field (for linux_messages_syslog) is extracted using a regex:
splunk btool props list syslog-host
So to override this I would try to use an empty TRANSFORMS on the host or source as they have higher precedence than the sourcetype linux_messages_syslog.
Example props.conf:
[host::myawesomeserver]
TRANSFORMS =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot to mention it if anyone wonders - this should be done on the receiving indexer.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
