Getting Data In

Strip "Original Address" text in splunk



i would like to strip the "Original Address" Text that splunk appends. How do i do this ?

Original Address=xx.xx.x.x 1 2015-01-15T14:28:51.341+11:00......................................... 


Tags (2)
0 Karma

Path Finder

If the host name is part of the filename you can extract that with

host_regex = <reg_ex>

in your inputs.conf. If the name is not on the file name a transform it is.

0 Karma


Hi nishan_perera,

Like @chanfoli wrote, this caused by the forwarding syslog server. You can fix it in Splunk by using a transformation.
It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in $SPLUNK_HOME/etc/system/local. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).




REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.

cheers, MuS


I think Original Address data is actually present in the input before splunk gets it. This is a common thing for syslog implentations to do. Can you elaborate on why you think that splunk is appending this to your events/results?

0 Karma


when i check the syslog before it gets forwarded to splunk it looks like this.

2015-01-14 00:00:06 Local0.Info    1 2015-01-13T23:59:04.196+11:00.............

So splunk basically append "Original Address=" infront of the Source IP

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...