Getting Data In

How to prevent linux_message_syslog input from overriding the FQDN of the host sent from a universal forwarder?

Builder

All,

I have an input in linux_message_syslog that seems to be working fine, but the universal forwarder is providing the FQDN of the host back to Splunk. This specific input seems to be overriding the hostname to the one found in the log, which is just the host name and not the FQDN. Any recommendation on how to handle that?

Jan 27 17:50:05 myawesomeserver clamd[23110]: SelfCheck: Database status OK.

so I end up with

host=myawesomeserver AND host=myawesomeserver.domain.local

thoughts?

1 Solution

Communicator

Have a look at the following btool command:

splunk btool props list linux_messages_syslog

Here you find a TRANSFORM for the host part:

TRANSFORMS = syslog-host

Using another btool command you will see that the host field (for linux_messages_syslog) is extracted using a regex:

splunk btool props list syslog-host

So to override this I would try to use an empty TRANSFORMS on the host or source as they have higher precedence than the sourcetype linux_messages_syslog.

Example props.conf:

[host::myawesomeserver]
TRANSFORMS = 

View solution in original post

Champion

check @micahkemp answer from
https://answers.splunk.com/answers/598785/why-are-props-and-transforms-preconfigured-to-sani.html

To disable this transform, you can place this in etc/system/local/props.conf:

  [linux_messages_syslog]
  TRANSFORMS = 

@Raschko answer will only work for specified host "myawesomeserver" as he is applying on host not on sourcetype. If the box is heavy forwarder receiving logs from many nix servers its better to do on HF using sourcetype.

 [host::myawesomeserver]
 TRANSFORMS =
————————————
If this helps, give a like below.
0 Karma

Explorer

Would a better answer have been to do the following:
copy $SPLUNK_HOME/etc/system/default/props.conf to $SPLUNK_HOME/etc/system/local/props.conf
replace all instances of syslog-host with syslog-host-full
restart splunk

Also, in transforms.conf, the only blocks that don't have descriptions are.....syslog-host and syslog-host-full. how quaint.

0 Karma

Communicator

Have a look at the following btool command:

splunk btool props list linux_messages_syslog

Here you find a TRANSFORM for the host part:

TRANSFORMS = syslog-host

Using another btool command you will see that the host field (for linux_messages_syslog) is extracted using a regex:

splunk btool props list syslog-host

So to override this I would try to use an empty TRANSFORMS on the host or source as they have higher precedence than the sourcetype linux_messages_syslog.

Example props.conf:

[host::myawesomeserver]
TRANSFORMS = 

View solution in original post

Communicator

Forgot to mention it if anyone wonders - this should be done on the receiving indexer.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!