Getting Data In

forwarded logs original address as source

Path Finder

We currently have another syslog server that is handling some network related scripting and can't be shutdown, and rather than add the splunk as another log server on the switches we want to just forward the logs from the current log server to splunk. This works just fine, except how do I take the logs and change the source? The host shows the current log server as xxx.xxx.xxx.xxx for all logs, but within the log it has this statement: "Original Address=xxx.xxx.yyy.yyy" How do I change the host to xxx.xxx.yyy.yyy instead of the xxx.xxx.xxx.xxx?

Tags (1)
0 Karma
1 Solution

Legend

Use a transformation to do this. It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in $SPLUNK_HOME/etc/system/local. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).

props.conf

[host::syslogServer]
TRANSFORMS-t1=rename_host

transforms.conf

[rename_host]
REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
DEST_KEY=MetaData:Host
FORMAT=host::$1

This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.

Feel free to follow up with more questions if needed!

View solution in original post

Legend

Use a transformation to do this. It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in $SPLUNK_HOME/etc/system/local. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).

props.conf

[host::syslogServer]
TRANSFORMS-t1=rename_host

transforms.conf

[rename_host]
REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
DEST_KEY=MetaData:Host
FORMAT=host::$1

This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.

Feel free to follow up with more questions if needed!

View solution in original post

Legend

You can't do a DNS lookup as part of the transform, but Splunk does ship with a script that can be used to with a Splunk lookup. Look at "Example of external fields lookup" within this manual page http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Addfieldsfromexternaldatasources

0 Karma

Path Finder

Works great. Is there any way to do DNS lookup on that IP then?

0 Karma