Splunk Search

Can I prevent the default index-time extraction for the "host" field to occur for events of the "syslog" sourcetype?

hexx
Splunk Employee
Splunk Employee

I have several lightweight forwarders collecting syslog data from files in their respective /var/log/ directories and forwarding it all to one indexer.

For some of them, the hostname written in the files of /var/log/ differs from the system hostname (uname -n) set for the forwarder. This is intended.

I would like my indexer to always set the value of the "host" field of those events to the hostname of the forwarder sending them, NOT to extract that value from the contents of the file.

How can I achieve this?

1 Solution

hexx
Splunk Employee
Splunk Employee

The value of the "host" field for events of the "syslog" sourcetype is extracted using the "syslog-host" transform.

The transform is called in $SPLUNK_HOME/etc/system/default/props.conf :

[syslog]
pulldown_type = true 
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

The index-time filed extraction transform is defined $SPLUNK_HOME/etc/system/default/transforms.conf.

The easiest way to prevent that extraction from happening is to suppress the call of the transform by populating the $SPLUNK_HOME/etc/system/local/props.conf file in the following way :

[syslog]
TRANSFORMS = 

This will result in the following effective configuration stanza for props.conf, which shows we have overwritten the TRANSFORMS used for the "syslog" sourcetype :

# $SPLUNK_HOME/bin/splunk cmd btool props list syslog --debug
system [syslog]
system BREAK_ONLY_BEFORE =
system BREAK_ONLY_BEFORE_DATE = True
system CHARSET = UTF-8
system DATETIME_CONFIG = /etc/datetime.xml
(...)
system TIME_FORMAT = %b %d %H:%M:%S
system TRANSFORMS =
system TRUNCATE = 10000
system maxDist = 3
system pulldown_type = true

After a restart of Splunk, the indexer will use the source ip/hostname of the forwarder that sent that data to populate the "host" field.

View solution in original post

hexx
Splunk Employee
Splunk Employee

The value of the "host" field for events of the "syslog" sourcetype is extracted using the "syslog-host" transform.

The transform is called in $SPLUNK_HOME/etc/system/default/props.conf :

[syslog]
pulldown_type = true 
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

The index-time filed extraction transform is defined $SPLUNK_HOME/etc/system/default/transforms.conf.

The easiest way to prevent that extraction from happening is to suppress the call of the transform by populating the $SPLUNK_HOME/etc/system/local/props.conf file in the following way :

[syslog]
TRANSFORMS = 

This will result in the following effective configuration stanza for props.conf, which shows we have overwritten the TRANSFORMS used for the "syslog" sourcetype :

# $SPLUNK_HOME/bin/splunk cmd btool props list syslog --debug
system [syslog]
system BREAK_ONLY_BEFORE =
system BREAK_ONLY_BEFORE_DATE = True
system CHARSET = UTF-8
system DATETIME_CONFIG = /etc/datetime.xml
(...)
system TIME_FORMAT = %b %d %H:%M:%S
system TRANSFORMS =
system TRUNCATE = 10000
system maxDist = 3
system pulldown_type = true

After a restart of Splunk, the indexer will use the source ip/hostname of the forwarder that sent that data to populate the "host" field.

Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...