Splunk Search

How to fix Splunk from incorrectly extracting hostname field in syslog events?

krusty
Contributor

Hi there,

we have an issue with hostname extraction from syslog events.
Normaly the extraction works fine, but for some sources it wont.

The event is shown as follows:
<186>13286: : : 7499: full.qualified.domainname: Jan 20 2017 08:44:06 AM.938 UTC : %UC_RTMT-2-RTMT_ALERT:....

And splunk extract AM.938 as the host field.

With other syslog Events like this:
<187>4265: : : 3147: full.qualified.domainname: Jan 20 2017 08:50:11.151 UTC : %UC_CALLMANAGER
the hostname is extracted as full.qualified.domainname.

How can I can I change the hostname extraction for the first event example?
Both events arrive the Splunk indexer via UDP and port 514. So I couldn't change the global extraction rule.

For me the problem is located at the timestamp. The first example event has AM/PM in it and the second example not. But I don't know where it comes from.

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi krusty,
can you share the host regex?
every way, you should try to use a regex like \<\d+\>\d+:\s:\s:\s\d+:\s(?<hostname>[^:]*): to extract te correct host
(see https://regex101.com/r/ZDCObt/1).
Bye.
Giuseppe

0 Karma

john_byun
Path Finder

We have the same issue, but only from one type of device. If I apply this setting, will it affect all other syslogs coming into Splunk?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi john.byun,
I don't know your situation, but usually it depends by the appliance, we used preparsing in many situations.
Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Probably the best way is to pre-parse your syslog, before Splunk acquiring.
Bye.
Giuseppe

0 Karma

krusty
Contributor

hi Giuseppe,

thanks for your answer.
Indeed I have to enter the following entry to my transforms.conf and props.conf.

transforms.conf
[change_host_cuc]
SOURCE_KEY = _raw
REGEX = \<\d+\>[\d\s]+\:[\d\s]+\:[\d\s]+\:[\d\s]+\:\s(cuc\d+[^:]*):
DEST_KEY = MetaData:Host
FORMAT = host::$1
WRITE_META = true

props.conf
[syslog]
...
TRANSFORMS-cuc = change_host_cuc
...

So your idea to change the regex was perfect.
Many thanks for this.

Could you tell me also how to change the timeformat for the events during indexing?
As you can see, the event is in US timeformat but all other events are in 24h Format. If it's possible I'd like to uniform this.

Kind regards

0 Karma

dingonet
New Member

while I use this case to resolve the hostname,it returned host as "$1"  ,why?

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@krusty - Did the answer provided by cusello help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...