Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

invalid host extraction

rousse
New Member
‎07-04-2014 01:14 AM

Hello.

My CAS server send this kind of even through syslog:

2014-07-04 10:00:01,527 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-71914-GqsbHllVCbZDwi2gpdGe-cas3.domain.tld
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Jul 04 10:00:01 CEST 2014
CLIENT IP ADDRESS: 129.94.143.19
SERVER IP ADDRESS: cas.domain.tld
=============================================================

For an unknown reason, the line "WHEN: ..." is incorrectly assigned to host 'CEST'. The documentation about fixing invalid host field (http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Handleincorrectly-assignedhostvalues) is focused about correcting data incorrectly imported, not about fixing an extraction error on the fly.

Given that's a syslog source type, is there way to force 'host' value as the one from the dedicated syslog element ?

Tags (2)
0 Karma
Reply

grijhwani
Motivator
‎07-04-2014 06:01 AM

Your syslog extraction is following correct assumptions for the default syslog format. As a norm, syslog consists of single line records which are complete in themselves and generally take the form:

{date} {hostname/ip} {substance of syslog entry}

The auto-scan is "correctly" detecting the host name after a date entry for the default syslog type. You will need to override this source as a different sourcetype, and then tweak the extraction parameters.

0 Karma
Reply

rousse
New Member
‎07-04-2014 06:32 AM

Assuming than any date or host values found in {substance of syslog entry} section should override corresponding values found in dedicated sections is indeed consistent with "last occurence wins" behaviour, but isn't really meaningful here. Syslog format is often criticized for being under-structured, but this defeat even available structuration 🙂

Ok, I'll try to tweak the extraction parameters. Thanks for the advice.

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...