Retrieving logs from all hosts in Splunk cloud, in...

VijaySrrie · ‎08-26-2019

Hi,

Tanium is sending logs to our only syslog server and we have created a folder in that server (let us say a) so in Splunk cloud it should show as host = a, but in Splunk cloud, we could see hostname containing different syslog servers. Is it a bug?

woodcock · ‎09-18-2019

Yes, this is normal default behavior but it is definitely incorrect for your use case. You need to override the host value and take it from inside of the event or from the connection. See here for how we do it:
http://www.georgestarcher.com/splunk-success-with-syslog/

diogofgm · ‎08-26-2019

It depends on how the data is being handled during index time. You can change the host field in index time with props/transforms confs and you can also set the host as a segment of the path your monitoring.

Several TAs bring some kind of field manipulation out of the box (e.g. you index data with source type pan_logs and it ends up as pan:traffic, pan:system, etc). Same logic can be applied to other fields in index time (e.g. index (for data routing), host (to correctly assign the host name), etc. )

------------
Hope I was able to help you. If so, some karma would be appreciated.

Retrieving logs from all hosts in Splunk cloud, instead of one

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation