Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Transform not applied based on Host

mesler
Loves-to-Learn
‎07-13-2020 08:42 AM

HI there,

I'm trying to redirect logs from syslog device to a separate index..   Does anyone see an error in this config?
 

 

 

[host::aaa.bbb.ccc.ddd]
TRANSFORMS-juniper_change_index = juniper_change_index

[juniper_change_index]
SOURCE_KEY = MetaData:Host
REGEX = (.*)
DEST_KEY = _MetaData:Index
FORMAT = juniper

 

 


Logs are still going to the main index.  I have other working transforms that operate on sourcetypes and other fields, but for some reason, I've been unable to get this one based on source address working.

Thanks!

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 08:52 AM

Please, try DEST_KEY = MetaData:Index w/o trailing _
r. Ismo

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 09:42 AM

Unfortunately, DEST_KEY = MetaData:Index does not appear to have helped.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 09:48 AM

If you are reading those from local /var/log/messages then the hostname probably will be something different than aaa.bbb.ccc.ddd and then this transformation didn’t apply to those events. 

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 12:42 PM

The IP address was just a placeholder.  I was using the actual address.

I resolved my issue by implementing your suggestion.  I broke out logs by hostname, added the host in question's logs to separate log files, added the new data inputs and set the proper sourcetype and index, and now all is well in the world.

Thanks again for your help and your suggestion!

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 09:10 AM

I should point out that I just realized that my rule may not be working because these particular logs are coming from the indexer's own /var/log/messages file (rsyslog), so my IP address is perhaps not going to work in this case.  I initially tried using a host name which also didn't work, however perhaps your suggestion will work in either case.  I will report back shortly.  Thanks!

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 09:41 AM

When you are using rsyslog one option is separate logs to own files based on events hostname or just use that hostname on your transforms stanza. 

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 09:45 AM

That is a fantastic point that I had completely forgotten about.  We just recently upgraded the system hosting Splunk, and simply copied the configs, but I think that would be a much more sensible option in our case.  Thanks very much for your help!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...