Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Append Domain name at index time?

daniel333
Builder
‎09-20-2017 01:18 PM

All,

I have logs coming in from /var/log/messages and /var/log/maillog which have the hostname not the FQDN. There is just too much change control and politics to get them fixed at the source. Looking for a way at index time to just make the correction.

Server names are well formed 12 characters ending in three numbers.

So I need to create a props.conf/transforms.conf on my indexer, just not sure what it will look like.

If host = .*\n\n\n then append mycompany.com

Any ideas what that might look like?

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-21-2017 04:10 PM

Hey @daniel333 if they solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-20-2017 01:37 PM

This post will show you the general approach to modifying your metadata field 'host', adjust RegEx to match properly.

0 Karma
Reply

DalJeanis
Legend
‎09-20-2017 01:31 PM

This should match any host that does not end with .com, and append mycompany.com onto the current value

[yourstanzaname]
SOURCE_KEY = MetaData:Host
DEST_KEY  = MetaData:Host
REGEX = (.*$)(?<!\.com$)
FORMAT = host::$1mycompany.com

...or...

REGEX = .*$(?<!\.com$)
FORMAT = host::$0mycompany.com

Updated, because you meant THAT Host.

Just kidding, I just forgot we were talking about an ultra special snowflake of a MetaData field.

https://answers.splunk.com/answers/492863/what-happens-if-dest-key-metadatahost.html

Updated one more time, to change \0 to $0 and \1 to $1 because contextually we're in a .conf file and not a rex in sed mode.

(sigh)

0 Karma
Reply

daniel333
Builder
‎09-20-2017 03:43 PM

Doens't seem to be flying. Tried this config as well as swapping host for MetaData:Host in your DEST_Key. I feel like I am missing something key here. 

#props.conf
[syslog]
TRANSFORMS-FIELDS = syslog_fix_fqdn

#transforms.conf
[syslog_fix_fqdn]
SOURCE_KEY = host
DEST_KEY  = host
REGEX = .*$(?<!\.com$)
FORMAT = \0ilovethecompany.com
0 Karma
Reply

DalJeanis
Legend
‎09-20-2017 05:00 PM

@daniel333 - try the new code.

0 Karma
Reply

daniel333
Builder
‎09-20-2017 06:10 PM

Thanks for replying!

I tried the new code and I ended up with my hostnames getting changed to 

\1mycompany.com

Not following how that capture should work there. How does \1 and \0 refer back to the above regex?

0 Karma
Reply

DalJeanis
Legend
‎09-21-2017 11:19 AM

@daniel333 - my bad. Just rechecked the docs, and those slashes should be $s in this location. Updated.

0 Karma
Reply

alemarzu
Motivator
‎09-20-2017 01:23 PM

Are u listening syslog directly from the Syslog server or you have the syslogd writing to a file in your Splunk server ?

0 Karma
Reply

daniel333
Builder
‎09-20-2017 01:27 PM

Splunk for Nix is installed. So it's being gathered locally.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...