Splunk Search

Extracting host from host segment doesn't work

mmohiuddin1512
Explorer

Hi :

I have a monitoring stanza which splunk process is monitoring logs from:

/var/log/hosts//Tue/-2017050209

This is what I have defined in inputs.conf:

[monitor:///var/log/hosts/56.*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
sourcetype = syslog
index = networkperimeter_firewalls
source = ASA-casyslog1_server
blacklist = .(gz|bz2|z|zip)$
ignoreOlderThan = 1d
crcSalt =

But while checking the logs on Splunk Search Head, the host value shows the host where the UF is installed, it is not monitoring the host from host_segment value, is there something I am missing, or doing incorrect.

Your inputs are highly appreciated.

Tags (2)
0 Karma

koshyk
Super Champion

I feel , the reason is because you have mentioned sourcetype as "syslog" and it will use the inbuilt syslog-host transform
Can you just try

[monitor:///var/log/hosts/56.*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
sourcetype = mydummy
index = networkperimeter_firewalls
source = ASA-casyslog1_server
blacklist = .(gz|bz2|z|zip)$
ignoreOlderThan = 1d

if This is successful, we will then think of how to override the sourcetype to use host_segment

0 Karma

xavierashe
Contributor

What part of that directory is the hostname?

0 Karma

xavierashe
Contributor

So did you delete the hostname? So is it this?

/var/log/hosts/HOSTNAME/Tue/-2017050209

Have you tried this:

[monitor:///var/log/hosts/*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
0 Karma

mmohiuddin1512
Explorer

4th segment

0 Karma

somesoni2
Revered Legend

It should work. This will only update the host for events coming from this monitor stanza, unless some setting is overriding it again at heavy forwarder/indexer level.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...