Splunk Search

Extracting host from host segment doesn't work

mmohiuddin1512
Explorer

Hi :

I have a monitoring stanza which splunk process is monitoring logs from:

/var/log/hosts//Tue/-2017050209

This is what I have defined in inputs.conf:

[monitor:///var/log/hosts/56.*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
sourcetype = syslog
index = networkperimeter_firewalls
source = ASA-casyslog1_server
blacklist = .(gz|bz2|z|zip)$
ignoreOlderThan = 1d
crcSalt =

But while checking the logs on Splunk Search Head, the host value shows the host where the UF is installed, it is not monitoring the host from host_segment value, is there something I am missing, or doing incorrect.

Your inputs are highly appreciated.

Tags (2)
0 Karma

koshyk
Super Champion

I feel , the reason is because you have mentioned sourcetype as "syslog" and it will use the inbuilt syslog-host transform
Can you just try

[monitor:///var/log/hosts/56.*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
sourcetype = mydummy
index = networkperimeter_firewalls
source = ASA-casyslog1_server
blacklist = .(gz|bz2|z|zip)$
ignoreOlderThan = 1d

if This is successful, we will then think of how to override the sourcetype to use host_segment

0 Karma

xavierashe
Contributor

What part of that directory is the hostname?

0 Karma

xavierashe
Contributor

So did you delete the hostname? So is it this?

/var/log/hosts/HOSTNAME/Tue/-2017050209

Have you tried this:

[monitor:///var/log/hosts/*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
0 Karma

mmohiuddin1512
Explorer

4th segment

0 Karma

somesoni2
Revered Legend

It should work. This will only update the host for events coming from this monitor stanza, unless some setting is overriding it again at heavy forwarder/indexer level.

0 Karma
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...