Instead of my host saying host=157.38.2.1 how would i get it to say host=(whatever is in the message)? We want it to be the host name that is pulled out of the field in the message. How would I do this in my props.conf file.
Thank you
Here is some of the sample events. we want to extract whatever is after Host=
08/21/2012 (13:41:30) Host=chlm880.company.com Message=Error processing log message: <166>Aug 21 17:41:30 Vpxa: [2012-08-21 17:41:30.131 14F5EB90 info 'App' opID=task-internal-6044-b2a8e4cf] [VpxLRO] -- BEGIN task-internal-6044 -- -- vpxapi.VpxaService.fetchQuickStats -- 52c58dc1-ef95-5d99-332f-4b8e996f1625
08/21/2012 (13:41:30) Host=chlm880.company.com Message=Error processing log message: <166>Aug 21 17:41:30 Vpxa: [2012-08-21 17:41:30.132 14F5EB90 info 'App' opID=task-internal-6044-b2a8e4cf] [VpxLRO] -- FINISH task-internal-6044 -- -- vpxapi.VpxaService.fetchQuickStats -- 52c58dc1-ef95-5d99-332f-4b8e996f1625
08/21/2012 (13:42:30) Host=chlm880.company.com Message=Error processing log message: <166>Aug 21 17:42:30 Vpxa: [2012-08-21 17:42:30.129 14DCEB90 info 'App' opID=task-internal-6045-b922aab4] [VpxLRO] -- BEGIN task-internal-6045 -- -- vpxapi.VpxaService.fetchQuickStats -- 52c58dc1-ef95-5d99-332f-4b8e996f1625
08/21/2012 (13:42:30) Host=chlm880.company.com Message=Error processing log message: <166>Aug 21 17:42:30 Vpxa: [2012-08-21 17:42:30.130 14DCEB90 info 'App' opID=task-internal-6045-b922aab4] [VpxLRO] -- FINISH task-internal-6045 -- -- vpxapi.VpxaService.fetchQuickStats -- 52c58dc1-ef95-5d99-332f-4b8e996f1625
You may need to provide a bit more information. Is this a TCP input, or a UDP input, or what? If it's a UDP input, then you could set the connection_host
argument in inputs.conf
to dns
.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
connection_host = [ip|dns|none]
* For splunktcp, the host or connection_host will be used if the remote Splunk instance does not set a host,
or if the host is set to "<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.
* Defaults to "ip".
However, this won't work if you want to pull the host name from the actual text of the event, instead of from the source IP of the UDP packet it arrived in. To use the hostname in the event text, it'll be something like:
(props.conf)
[mysourcetype]
EXTRACT-host=myhostextraction
(transforms.conf)
[myhostextraction]
REGEX= Host=(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
You may need to provide a bit more information. Is this a TCP input, or a UDP input, or what? If it's a UDP input, then you could set the connection_host
argument in inputs.conf
to dns
.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
connection_host = [ip|dns|none]
* For splunktcp, the host or connection_host will be used if the remote Splunk instance does not set a host,
or if the host is set to "<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.
* Defaults to "ip".
However, this won't work if you want to pull the host name from the actual text of the event, instead of from the source IP of the UDP packet it arrived in. To use the hostname in the event text, it'll be something like:
(props.conf)
[mysourcetype]
EXTRACT-host=myhostextraction
(transforms.conf)
[myhostextraction]
REGEX= Host=(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
If you didn't resolve your problem, then why are you marking the answer is accepted? Don't get me wrong, it's a good answer, but one big reason for having that mechanism is that people can see in the question list which questions have been resolved or not and choose accordingly which questions to turn their attention to.
Any suggestions?
Thank you and sorry about that. I uploaded some sample events.
That isn't clear from your original question. If these are "typical" syslog messages and you have sourcetype=syslog
that host name extraction should happen automatically. If these are not typical, or you don't have that sourcetype
then I would suggest you paste some sample events.
we want it to be the host name that is pulled out of the field in the message.
Then yeah, in inputs.conf
plug in connection_host=dns
and restart. New events should have the right value.
It is a UDP input