Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- host_segment being overridden
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
host_segment being overridden
I am using the following in a configuration being distributed to several remote syslog servers. Works as expected on all UF's, except 1. From a single UF's, the 'host' field in the indexed events is being reported as "PaloAlto" instead of the 4th segment as expected?
I searched through all of the .conf files on the UF manually and used BTOOL looking for a missed "host_segment" entry or something hidden in another config that would cause this, none found.
Am I am missing something obvious to the rest of you?
[monitor:///app01/logs/ASA]
whitelist = .+\.log$
host_segment = 4
index = syn_netfw
sourcetype = cisco:asa
ignoreOlderThan = 2d
disabled = 0
[monitor:///app01/logs/PaloAlto]
whitelist = .+\.log$
host_segment = 4
index = syn_netfw
sourcetype = pan:log
ignoreOlderThan = 2d
disabled = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My mystery continues. On the UF causing the problem. Restatement: Collecting PaloAlto logs from multiple UF's, all via distributed inputs.conf below. (1) UF however is reporting the host as PaloAlto. Searched through all ./apps/* for possible conf that was overwriting of host_segment and none found.
Final test, changed target directory AND inputs.conf below from */logs/PaloAlto to */logs/PA using a name that would not have been used in any transforms, etc. Rules out any offending and hidden renaming of host.
Outcome, the events now show host=PA, even though 'host_segment = 4'
[monitor:///app01/logs/ASA]
whitelist = .+\.log$
host_segment = 4
index = syn_netfw
sourcetype = cisco:asa
ignoreOlderThan = 2d
disabled = 0
[monitor:///app01/logs/PaloAlto]
whitelist = .+\.log$
host_segment = 4
index = syn_netfw
sourcetype = pan:log
ignoreOlderThan = 2d
disabled = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. All data passes directly from the UF to the Indexers. Same process on 4 UF's, but one acting weird 🙄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sourcetype assignment is distributed as an app from the DS to all UF's, so is 100% identical on all UF's.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure that Palo sends the logs in the format you're expecting? Some solutions name their log sending "syslog" but send something that doesn't conform to any standards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Will have to start eliminating Apps until this problem resolves
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the sourcetype assignment correct on the 1 UF?
The host value can be overridden during Event parsing on HF/Indexer, so you may want to check if some TRANSFORM is applied to that sourcetype.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
