we have an issue with hostname extraction from syslog events.
Normaly the extraction works fine, but for some sources it wont.
The event is shown as follows:
<186>13286: : : 7499: full.qualified.domainname: Jan 20 2017 08:44:06 AM.938 UTC : %UC_RTMT-2-RTMT_ALERT:....
And splunk extract
AM.938 as the host field.
With other syslog Events like this:
<187>4265: : : 3147: full.qualified.domainname: Jan 20 2017 08:50:11.151 UTC : %UC_CALLMANAGER
the hostname is extracted as
How can I can I change the hostname extraction for the first event example?
Both events arrive the Splunk indexer via UDP and port 514. So I couldn't change the global extraction rule.
For me the problem is located at the timestamp. The first example event has AM/PM in it and the second example not. But I don't know where it comes from.
can you share the host regex?
every way, you should try to use a regex like
\<\d+\>\d+:\s:\s:\s\d+:\s(?<hostname>[^:]*): to extract te correct host
thanks for your answer.
Indeed I have to enter the following entry to my transforms.conf and props.conf.
SOURCE_KEY = _raw
REGEX = \<\d+\>[\d\s]+\:[\d\s]+\:[\d\s]+\:[\d\s]+\:\s(cuc\d+[^:]*):
DEST_KEY = MetaData:Host
FORMAT = host::$1
WRITE_META = true
TRANSFORMS-cuc = change_host_cuc
So your idea to change the regex was perfect.
Many thanks for this.
Could you tell me also how to change the timeformat for the events during indexing?
As you can see, the event is in US timeformat but all other events are in 24h Format. If it's possible I'd like to uniform this.
@krusty - Did the answer provided by cusello help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!