Getting Data In

invalid host extraction

rousse
New Member

Hello.

My CAS server send this kind of even through syslog:

2014-07-04 10:00:01,527 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-71914-GqsbHllVCbZDwi2gpdGe-cas3.domain.tld
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Jul 04 10:00:01 CEST 2014
CLIENT IP ADDRESS: 129.94.143.19
SERVER IP ADDRESS: cas.domain.tld
=============================================================

For an unknown reason, the line "WHEN: ..." is incorrectly assigned to host 'CEST'. The documentation about fixing invalid host field (http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Handleincorrectly-assignedhostvalues) is focused about correcting data incorrectly imported, not about fixing an extraction error on the fly.

Given that's a syslog source type, is there way to force 'host' value as the one from the dedicated syslog element ?

Tags (2)
0 Karma

grijhwani
Motivator

Your syslog extraction is following correct assumptions for the default syslog format. As a norm, syslog consists of single line records which are complete in themselves and generally take the form:

{date} {hostname/ip} {substance of syslog entry}

The auto-scan is "correctly" detecting the host name after a date entry for the default syslog type. You will need to override this source as a different sourcetype, and then tweak the extraction parameters.

0 Karma

rousse
New Member

Assuming than any date or host values found in {substance of syslog entry} section should override corresponding values found in dedicated sections is indeed consistent with "last occurence wins" behaviour, but isn't really meaningful here. Syslog format is often criticized for being under-structured, but this defeat even available structuration 🙂

Ok, I'll try to tweak the extraction parameters. Thanks for the advice.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...