Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

forwarded logs original address as source

gregwilliams
Path Finder
‎03-08-2012 11:48 AM

We currently have another syslog server that is handling some network related scripting and can't be shutdown, and rather than add the splunk as another log server on the switches we want to just forward the logs from the current log server to splunk. This works just fine, except how do I take the logs and change the source? The host shows the current log server as xxx.xxx.xxx.xxx for all logs, but within the log it has this statement: "Original Address=xxx.xxx.yyy.yyy" How do I change the host to xxx.xxx.yyy.yyy instead of the xxx.xxx.xxx.xxx?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-08-2012 12:27 PM

Use a transformation to do this. It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in $SPLUNK_HOME/etc/system/local. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).

props.conf

[host::syslogServer]
TRANSFORMS-t1=rename_host

transforms.conf

[rename_host]
REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
DEST_KEY=MetaData:Host
FORMAT=host::$1

This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.

Feel free to follow up with more questions if needed!

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-08-2012 12:27 PM

Use a transformation to do this. It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in $SPLUNK_HOME/etc/system/local. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).

props.conf

[host::syslogServer]
TRANSFORMS-t1=rename_host

transforms.conf

[rename_host]
REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
DEST_KEY=MetaData:Host
FORMAT=host::$1

This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.

Feel free to follow up with more questions if needed!

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-12-2012 08:35 AM

You can't do a DNS lookup as part of the transform, but Splunk does ship with a script that can be used to with a Splunk lookup. Look at "Example of external fields lookup" within this manual page http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Addfieldsfromexternaldatasources

0 Karma
Reply
Solved! Jump to solution

gregwilliams
Path Finder
‎03-08-2012 12:42 PM

Works great. Is there any way to do DNS lookup on that IP then?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...