Getting Data In

Strip "Original Address" text in splunk



i would like to strip the "Original Address" Text that splunk appends. How do i do this ?

Original Address=xx.xx.x.x 1 2015-01-15T14:28:51.341+11:00......................................... 


Tags (2)
0 Karma

Path Finder

If the host name is part of the filename you can extract that with

host_regex = <reg_ex>

in your inputs.conf. If the name is not on the file name a transform it is.

0 Karma


Hi nishan_perera,

Like @chanfoli wrote, this caused by the forwarding syslog server. You can fix it in Splunk by using a transformation.
It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in $SPLUNK_HOME/etc/system/local. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).




REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.

cheers, MuS


I think Original Address data is actually present in the input before splunk gets it. This is a common thing for syslog implentations to do. Can you elaborate on why you think that splunk is appending this to your events/results?

0 Karma


when i check the syslog before it gets forwarded to splunk it looks like this.

2015-01-14 00:00:06 Local0.Info    1 2015-01-13T23:59:04.196+11:00.............

So splunk basically append "Original Address=" infront of the Source IP

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...