Re: Strip "Original Address" text in splunk

nishan_perera · ‎01-14-2015

Hi,

i would like to strip the "Original Address" Text that splunk appends. How do i do this ?

Original Address=xx.xx.x.x 1 2015-01-15T14:28:51.341+11:00.........................................

Cheers

trsavela · ‎01-15-2015

If the host name is part of the filename you can extract that with

host_regex = <reg_ex>

in your inputs.conf. If the name is not on the file name a transform it is.

MuS · ‎01-14-2015

Hi nishan_perera,

Like @chanfoli wrote, this caused by the forwarding syslog server. You can fix it in Splunk by using a transformation.
It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in $SPLUNK_HOME/etc/system/local. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).

props.conf

[host::syslogServer]
TRANSFORMS-t1=rename_host

transforms.conf

[rename_host]
REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
DEST_KEY=MetaData:Host
FORMAT=host::$1

This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.

cheers, MuS

chanfoli · ‎01-14-2015

I think Original Address data is actually present in the input before splunk gets it. This is a common thing for syslog implentations to do. Can you elaborate on why you think that splunk is appending this to your events/results?

nishan_perera · ‎01-14-2015

when i check the syslog before it gets forwarded to splunk it looks like this.

2015-01-14 00:00:06 Local0.Info xx.xx.xxx.xx    1 2015-01-13T23:59:04.196+11:00.............

So splunk basically append "Original Address=" infront of the Source IP

Strip "Original Address" text in splunk

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life