All,
I have an input in linux_message_syslog that seems to be working fine, but the universal forwarder is providing the FQDN of the host back to Splunk. This specific input seems to be overriding the hostname to the one found in the log, which is just the host name and not the FQDN. Any recommendation on how to handle that?
Jan 27 17:50:05 myawesomeserver clamd[23110]: SelfCheck: Database status OK.
so I end up with
host=myawesomeserver AND host=myawesomeserver.domain.local
thoughts?
Have a look at the following btool command:
splunk btool props list linux_messages_syslog
Here you find a TRANSFORM for the host part:
TRANSFORMS = syslog-host
Using another btool command you will see that the host field (for linux_messages_syslog) is extracted using a regex:
splunk btool props list syslog-host
So to override this I would try to use an empty TRANSFORMS on the host or source as they have higher precedence than the sourcetype linux_messages_syslog.
Example props.conf:
[host::myawesomeserver]
TRANSFORMS =
check @micahkemp answer from
https://answers.splunk.com/answers/598785/why-are-props-and-transforms-preconfigured-to-sani.html
To disable this transform, you can place this in etc/system/local/props.conf:
[linux_messages_syslog]
TRANSFORMS =
@Raschko answer will only work for specified host "myawesomeserver" as he is applying on host not on sourcetype. If the box is heavy forwarder receiving logs from many nix servers its better to do on HF using sourcetype.
[host::myawesomeserver]
TRANSFORMS =
Would a better answer have been to do the following:
copy $SPLUNK_HOME/etc/system/default/props.conf to $SPLUNK_HOME/etc/system/local/props.conf
replace all instances of syslog-host with syslog-host-full
restart splunk
Also, in transforms.conf, the only blocks that don't have descriptions are.....syslog-host and syslog-host-full. how quaint.
Have a look at the following btool command:
splunk btool props list linux_messages_syslog
Here you find a TRANSFORM for the host part:
TRANSFORMS = syslog-host
Using another btool command you will see that the host field (for linux_messages_syslog) is extracted using a regex:
splunk btool props list syslog-host
So to override this I would try to use an empty TRANSFORMS on the host or source as they have higher precedence than the sourcetype linux_messages_syslog.
Example props.conf:
[host::myawesomeserver]
TRANSFORMS =
Forgot to mention it if anyone wonders - this should be done on the receiving indexer.