Getting Data In

syslog field over-rides host_segment

inglisn
Path Finder

Hi,

I have a syslog server (Centos 6) with splunk 4.3.1 that receives syslog using the rsyslog daemon. The folder structure is /var/log/remote/1.2.3.4/syslog.log and I want to use the source IP address as the 'host' field.

The docs say to use host_segment, which I've done (inputs.conf shown below) but this seems to be ignored in favour of the syslog event hostname which could be IP, or could be hostname.

[monitor:///var/log/remote]
blacklist = *.gz
disabled = false
followTail = 0
index = test
sourcetype = syslog
whitelist = *.log
host_segment = 4

I've also tried manually setting it to a fixed string, and it still prefers the syslog headings. Sometimes the syslog message is that the last message repeated n times, in which case host=last.

Thanks

Tags (2)
1 Solution

ziegfried
Influencer

You can disable the syslog-host transform for the syslog sourcetype by adding the following stanza to your $SPLUNK_HOME/etc/system/local/props.conf

[syslog]
TRANSFORMS = 

View solution in original post

ziegfried
Influencer

You can disable the syslog-host transform for the syslog sourcetype by adding the following stanza to your $SPLUNK_HOME/etc/system/local/props.conf

[syslog]
TRANSFORMS = 

bnorthway
Path Finder

I have the same problem (Why isn't this in the official docs for host_segment?) but I don't want to change all events of the syslog sourcetype. What should I do?

0 Karma

inglisn
Path Finder

Worked a treat. Thanks.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...