Hi there,
we have an issue with hostname extraction from syslog events.
Normaly the extraction works fine, but for some sources it wont.
The event is shown as follows:
<186>13286: : : 7499: full.qualified.domainname: Jan 20 2017 08:44:06 AM.938 UTC : %UC_RTMT-2-RTMT_ALERT:....
And splunk extract AM.938 as the host field.
With other syslog Events like this:
<187>4265: : : 3147: full.qualified.domainname: Jan 20 2017 08:50:11.151 UTC : %UC_CALLMANAGER
the hostname is extracted as full.qualified.domainname.
How can I can I change the hostname extraction for the first event example?
Both events arrive the Splunk indexer via UDP and port 514. So I couldn't change the global extraction rule.
For me the problem is located at the timestamp. The first example event has AM/PM in it and the second example not. But I don't know where it comes from.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		hi krusty,
can you share the host regex?
every way, you should try to use a regex like \<\d+\>\d+:\s:\s:\s\d+:\s(?<hostname>[^:]*): to extract te correct host
(see https://regex101.com/r/ZDCObt/1).
Bye.
Giuseppe
We have the same issue, but only from one type of device. If I apply this setting, will it affect all other syslogs coming into Splunk?
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi john.byun,
I don't know your situation, but usually it depends by the appliance, we used preparsing in many situations.
Bye.
Giuseppe
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Probably the best way is to pre-parse your syslog, before Splunk acquiring.
Bye.
Giuseppe
hi Giuseppe,
thanks for your answer.
Indeed I have to enter the following entry to my transforms.conf and props.conf.
transforms.conf
[change_host_cuc]
SOURCE_KEY = _raw
REGEX = \<\d+\>[\d\s]+\:[\d\s]+\:[\d\s]+\:[\d\s]+\:\s(cuc\d+[^:]*):
DEST_KEY = MetaData:Host
FORMAT = host::$1
WRITE_META = true
props.conf
[syslog]
...
TRANSFORMS-cuc = change_host_cuc
...
So your idea to change the regex was perfect. 
Many thanks for this.
Could you tell me also how to change the timeformat for the events during indexing?
As you can see, the event is in US timeformat but all other events are in 24h Format. If it's possible I'd like to uniform this.
Kind regards
while I use this case to resolve the hostname,it returned host as "$1" ,why?
 
		
		
		
		
		
	
			
		
		
			
					
		@krusty - Did the answer provided by cusello help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
