Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transform not applied based on Host

mesler
Loves-to-Learn
‎07-13-2020 08:42 AM

HI there,

I'm trying to redirect logs from syslog device to a separate index..   Does anyone see an error in this config?
 

 

 

[host::aaa.bbb.ccc.ddd]
TRANSFORMS-juniper_change_index = juniper_change_index

[juniper_change_index]
SOURCE_KEY = MetaData:Host
REGEX = (.*)
DEST_KEY = _MetaData:Index
FORMAT = juniper

 

 


Logs are still going to the main index.  I have other working transforms that operate on sourcetypes and other fields, but for some reason, I've been unable to get this one based on source address working.

Thanks!

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 08:52 AM

Please, try DEST_KEY = MetaData:Index w/o trailing _
r. Ismo

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 09:42 AM

Unfortunately, DEST_KEY = MetaData:Index does not appear to have helped.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 09:48 AM

If you are reading those from local /var/log/messages then the hostname probably will be something different than aaa.bbb.ccc.ddd and then this transformation didn’t apply to those events. 

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 12:42 PM

The IP address was just a placeholder.  I was using the actual address.

I resolved my issue by implementing your suggestion.  I broke out logs by hostname, added the host in question's logs to separate log files, added the new data inputs and set the proper sourcetype and index, and now all is well in the world.

Thanks again for your help and your suggestion!

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 09:10 AM

I should point out that I just realized that my rule may not be working because these particular logs are coming from the indexer's own /var/log/messages file (rsyslog), so my IP address is perhaps not going to work in this case.  I initially tried using a host name which also didn't work, however perhaps your suggestion will work in either case.  I will report back shortly.  Thanks!

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2020 09:41 AM

When you are using rsyslog one option is separate logs to own files based on events hostname or just use that hostname on your transforms stanza. 

0 Karma
Reply

mesler
Loves-to-Learn
‎07-13-2020 09:45 AM

That is a fantastic point that I had completely forgotten about.  We just recently upgraded the system hosting Splunk, and simply copied the configs, but I think that would be a much more sensible option in our case.  Thanks very much for your help!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...