Hello.
My CAS server send this kind of even through syslog:
2014-07-04 10:00:01,527 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-71914-GqsbHllVCbZDwi2gpdGe-cas3.domain.tld
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Jul 04 10:00:01 CEST 2014
CLIENT IP ADDRESS: 129.94.143.19
SERVER IP ADDRESS: cas.domain.tld
=============================================================
For an unknown reason, the line "WHEN: ..." is incorrectly assigned to host 'CEST'. The documentation about fixing invalid host field (http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Handleincorrectly-assignedhostvalues) is focused about correcting data incorrectly imported, not about fixing an extraction error on the fly.
Given that's a syslog source type, is there way to force 'host' value as the one from the dedicated syslog element ?
Your syslog extraction is following correct assumptions for the default syslog format. As a norm, syslog consists of single line records which are complete in themselves and generally take the form:
{date} {hostname/ip} {substance of syslog entry}
The auto-scan is "correctly" detecting the host name after a date entry for the default syslog type. You will need to override this source as a different sourcetype, and then tweak the extraction parameters.
Assuming than any date or host values found in {substance of syslog entry} section should override corresponding values found in dedicated sections is indeed consistent with "last occurence wins" behaviour, but isn't really meaningful here. Syslog format is often criticized for being under-structured, but this defeat even available structuration 🙂
Ok, I'll try to tweak the extraction parameters. Thanks for the advice.