Splunk Search

How to extract the switchname for a network device on a forwarder as the host name instead of the syslog server's name?

watsontony80
New Member

I've got a server where all my networking devices report their information via syslog. On the server, I have a forwarder pushing data to my Splunk instance. However, when the Splunk server receives the information from the syslog server, the host is incorrectly identified as the syslog server's name rather than the actual network device's name. I think I need a regex to extract the host name (it's currently in a field called reported_hostname in Splunk), but I can't get the syntax right to extract it. My logs look like:

Dec 18 00:00:45 switchname/switchname 2174: Dec 18 00:00:44.133 est: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 00000995 failed to receive Accounting Response.

I'm trying to set the host name to be the switchname above. How do I extract this and get it labelled as the host off the forwarder? The logs contain more than one switchname, so I can't just do a host=name in my inputs.conf.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You'll want something like this:

props.conf
[your_sourcetype]
...
TRANSFORMS-hostname = hostname_from_syslog

transforms.conf
[hostname_from_syslog]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+(\S+)
DEST_KEY = MetaData:Host
FORMAT = host::$1
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...