Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transform not applied based on Host

mesler
Loves-to-Learn
‎07-13-2020 08:42 AM

HI there,

I'm trying to redirect logs from syslog device to a separate index..   Does anyone see an error in this config?
 

 

 

[host::aaa.bbb.ccc.ddd]
TRANSFORMS-juniper_change_index = juniper_change_index

[juniper_change_index]
SOURCE_KEY = MetaData:Host
REGEX = (.*)
DEST_KEY = _MetaData:Index
FORMAT = juniper

 

 


Logs are still going to the main index.  I have other working transforms that operate on sourcetypes and other fields, but for some reason, I've been unable to get this one based on source address working.

Thanks!

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 08:52 AM

Please, try DEST_KEY = MetaData:Index w/o trailing _
r. Ismo

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 09:42 AM

Unfortunately, DEST_KEY = MetaData:Index does not appear to have helped.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 09:48 AM

If you are reading those from local /var/log/messages then the hostname probably will be something different than aaa.bbb.ccc.ddd and then this transformation didn’t apply to those events. 

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 12:42 PM

The IP address was just a placeholder.  I was using the actual address.

I resolved my issue by implementing your suggestion.  I broke out logs by hostname, added the host in question's logs to separate log files, added the new data inputs and set the proper sourcetype and index, and now all is well in the world.

Thanks again for your help and your suggestion!

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 09:10 AM

I should point out that I just realized that my rule may not be working because these particular logs are coming from the indexer's own /var/log/messages file (rsyslog), so my IP address is perhaps not going to work in this case.  I initially tried using a host name which also didn't work, however perhaps your suggestion will work in either case.  I will report back shortly.  Thanks!

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 09:41 AM

When you are using rsyslog one option is separate logs to own files based on events hostname or just use that hostname on your transforms stanza. 

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 09:45 AM

That is a fantastic point that I had completely forgotten about.  We just recently upgraded the system hosting Splunk, and simply copied the configs, but I think that would be a much more sensible option in our case.  Thanks very much for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...