Splunk Search

Extracting host from host segment doesn't work

mmohiuddin1512
Explorer

Hi :

I have a monitoring stanza which splunk process is monitoring logs from:

/var/log/hosts//Tue/-2017050209

This is what I have defined in inputs.conf:

[monitor:///var/log/hosts/56.*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
sourcetype = syslog
index = networkperimeter_firewalls
source = ASA-casyslog1_server
blacklist = .(gz|bz2|z|zip)$
ignoreOlderThan = 1d
crcSalt =

But while checking the logs on Splunk Search Head, the host value shows the host where the UF is installed, it is not monitoring the host from host_segment value, is there something I am missing, or doing incorrect.

Your inputs are highly appreciated.

Tags (2)
0 Karma

koshyk
Super Champion

I feel , the reason is because you have mentioned sourcetype as "syslog" and it will use the inbuilt syslog-host transform
Can you just try

[monitor:///var/log/hosts/56.*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
sourcetype = mydummy
index = networkperimeter_firewalls
source = ASA-casyslog1_server
blacklist = .(gz|bz2|z|zip)$
ignoreOlderThan = 1d

if This is successful, we will then think of how to override the sourcetype to use host_segment

0 Karma

xavierashe
Contributor

What part of that directory is the hostname?

0 Karma

xavierashe
Contributor

So did you delete the hostname? So is it this?

/var/log/hosts/HOSTNAME/Tue/-2017050209

Have you tried this:

[monitor:///var/log/hosts/*/.../(\d+).(\d+).(\d+).(\d+)-(\d+)]
host_segment = 4
0 Karma

mmohiuddin1512
Explorer

4th segment

0 Karma

somesoni2
Revered Legend

It should work. This will only update the host for events coming from this monitor stanza, unless some setting is overriding it again at heavy forwarder/indexer level.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...