I have a single Linux syslog stream, containing logs from multiple hosts, coming into a Splunk indexer through a TCP port - 1027. The source=tcp:1027 and sourcetype=syslog. The host is assigned using default settings, but I also have the following in place:
props.conf
[source::tcp:1027]
TRANSFORMS-syslog-forwarded-hostrewrite01=syslog-forwarded-hostrewrite01
transforms.conf
[syslog-forwarded-hostrewrite01]
DEST_KEY = MetaData:Host
REGEX = ^\S+\s+[0-9]+\s+[:0-9]+\s\S+\sMessage forwarded\sfrom\s?(\S+):
FORMAT = host::$1
disabled = 0
There's a specific host "utc-host" that is send logs in UTC. Our indexer and users are in Pacific Time. To offset this, I created the following configuration:
props.conf
[host::utc-host]
TZ = UTC
Unfortunately, this did not work. I did cmd btool props list to confirm the configurations were committing to Splunk's running configuration. Any tips?
btool shows the configuration that will be used the next time Splunk restarts. Did you restart Splunk after making changes to props.conf?
Yes - many times.