tranforms file to change hosts for syslog not work...

nitin_mehta · ‎10-24-2012

Hi,
Note: I am using Splunk Universal forwarder
We are forwarding logs form our central syslog server to a new splunk server.
In the universal forwarder I am trying to put in a transform to change the host field to the machine that has sent the syslog logs to the central sylog server.

All the syslog records have s_local@hostname in the record so I want to extract this hostname field. The logs files themselves are under the path /var/log/HOSTS/ on the central syslog server. The problem is that only the syslog server shows up in the host field on the splunk server(syslog server name=hds1prd)

The files on the forwader are:

-inputs.conf

[monitor:///var/log/HOSTS/...]

disabled = 0

followTail = 0

sourcetype = syslog

whitelist = 2012

-props.conf

[ syslog ]

TRANSFORMS-t1 = rename_host

-transforms.conf

[rename_host]

REGEX = s_local@([^\s]+)

FORMAT = host::$1

DEST_KEY = MetaData:Host

Any help will be much appreciated,

Ayn · ‎10-24-2012

The main reason for that this isn't working is that you're applying these settings on your forwarder. Forwarders do not perform any parsing of data, so they cannot perform any filtering. These settings should go on your indexer instead.

tranforms file to change hosts for syslog not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation