Getting Data In

Modification of Host

Contributor

Instead of my host saying host=157.38.2.1 how would i get it to say host=(whatever is in the message)? We want it to be the host name that is pulled out of the field in the message. How would I do this in my props.conf file.

Thank you

Here is some of the sample events. we want to extract whatever is after Host=

08/21/2012 (13:41:30) Host=chlm880.company.com Message=Error processing log message: <166>Aug 21 17:41:30 Vpxa: [2012-08-21 17:41:30.131 14F5EB90 info 'App' opID=task-internal-6044-b2a8e4cf] [VpxLRO] -- BEGIN task-internal-6044 --  -- vpxapi.VpxaService.fetchQuickStats -- 52c58dc1-ef95-5d99-332f-4b8e996f1625
08/21/2012 (13:41:30) Host=chlm880.company.com Message=Error processing log message: <166>Aug 21 17:41:30 Vpxa: [2012-08-21 17:41:30.132 14F5EB90 info 'App' opID=task-internal-6044-b2a8e4cf] [VpxLRO] -- FINISH task-internal-6044 --  -- vpxapi.VpxaService.fetchQuickStats -- 52c58dc1-ef95-5d99-332f-4b8e996f1625
08/21/2012 (13:42:30) Host=chlm880.company.com Message=Error processing log message: <166>Aug 21 17:42:30 Vpxa: [2012-08-21 17:42:30.129 14DCEB90 info 'App' opID=task-internal-6045-b922aab4] [VpxLRO] -- BEGIN task-internal-6045 --  -- vpxapi.VpxaService.fetchQuickStats -- 52c58dc1-ef95-5d99-332f-4b8e996f1625
08/21/2012 (13:42:30) Host=chlm880.company.com Message=Error processing log message: <166>Aug 21 17:42:30 Vpxa: [2012-08-21 17:42:30.130 14DCEB90 info 'App' opID=task-internal-6045-b922aab4] [VpxLRO] -- FINISH task-internal-6045 --  -- vpxapi.VpxaService.fetchQuickStats -- 52c58dc1-ef95-5d99-332f-4b8e996f1625
Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

You may need to provide a bit more information. Is this a TCP input, or a UDP input, or what? If it's a UDP input, then you could set the connection_host argument in inputs.conf to dns.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

connection_host = [ip|dns|none]
* For splunktcp, the host or connection_host will be used if the remote Splunk instance does not set a host, 
  or if the host is set to "<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data. 
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.
* Defaults to "ip".

However, this won't work if you want to pull the host name from the actual text of the event, instead of from the source IP of the UDP packet it arrived in. To use the hostname in the event text, it'll be something like:

(props.conf)

[mysourcetype]
EXTRACT-host=myhostextraction

(transforms.conf)

[myhostextraction]
REGEX= Host=(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

View solution in original post

SplunkTrust
SplunkTrust

You may need to provide a bit more information. Is this a TCP input, or a UDP input, or what? If it's a UDP input, then you could set the connection_host argument in inputs.conf to dns.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

connection_host = [ip|dns|none]
* For splunktcp, the host or connection_host will be used if the remote Splunk instance does not set a host, 
  or if the host is set to "<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data. 
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.
* Defaults to "ip".

However, this won't work if you want to pull the host name from the actual text of the event, instead of from the source IP of the UDP packet it arrived in. To use the hostname in the event text, it'll be something like:

(props.conf)

[mysourcetype]
EXTRACT-host=myhostextraction

(transforms.conf)

[myhostextraction]
REGEX= Host=(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

View solution in original post

Legend

If you didn't resolve your problem, then why are you marking the answer is accepted? Don't get me wrong, it's a good answer, but one big reason for having that mechanism is that people can see in the question list which questions have been resolved or not and choose accordingly which questions to turn their attention to.

Contributor

Any suggestions?

0 Karma

Contributor

Thank you and sorry about that. I uploaded some sample events.

0 Karma

SplunkTrust
SplunkTrust

That isn't clear from your original question. If these are "typical" syslog messages and you have sourcetype=syslog that host name extraction should happen automatically. If these are not typical, or you don't have that sourcetype then I would suggest you paste some sample events.

Contributor

we want it to be the host name that is pulled out of the field in the message.

0 Karma

SplunkTrust
SplunkTrust

Then yeah, in inputs.conf plug in connection_host=dns and restart. New events should have the right value.

0 Karma

Contributor

It is a UDP input

0 Karma