Hi,
I have a syslog server (Centos 6) with splunk 4.3.1 that receives syslog using the rsyslog daemon. The folder structure is /var/log/remote/1.2.3.4/syslog.log and I want to use the source IP address as the 'host' field.
The docs say to use host_segment, which I've done (inputs.conf shown below) but this seems to be ignored in favour of the syslog event hostname which could be IP, or could be hostname.
[monitor:///var/log/remote]
blacklist = *.gz
disabled = false
followTail = 0
index = test
sourcetype = syslog
whitelist = *.log
host_segment = 4
I've also tried manually setting it to a fixed string, and it still prefers the syslog headings. Sometimes the syslog message is that the last message repeated n times, in which case host=last.
Thanks
You can disable the syslog-host transform for the syslog sourcetype by adding the following stanza to your $SPLUNK_HOME/etc/system/local/props.conf
[syslog]
TRANSFORMS =
You can disable the syslog-host transform for the syslog sourcetype by adding the following stanza to your $SPLUNK_HOME/etc/system/local/props.conf
[syslog]
TRANSFORMS =
I have the same problem (Why isn't this in the official docs for host_segment?) but I don't want to change all events of the syslog sourcetype. What should I do?
Worked a treat. Thanks.