×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
mesler
Loves-to-Learn
Member since: ‎01-09-2019
‎07-13-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-09-2019
Activity Feed
Topics I've Started
View All

Re: Transform not applied based on Host

by in Splunk Enterprise
‎07-13-2020 12:42 PM
‎07-13-2020 12:42 PM
The IP address was just a placeholder.  I was using the actual address. I resolved my issue by implementing your suggestion.  I broke out logs by hostname, added the host in question's logs to separate log files, added the new data inputs and set the proper sourcetype and index, and now all is well in the world. Thanks again for your help and your suggestion! ... View more

Re: Transform not applied based on Host

by in Splunk Enterprise
‎07-13-2020 09:45 AM
‎07-13-2020 09:45 AM
That is a fantastic point that I had completely forgotten about.  We just recently upgraded the system hosting Splunk, and simply copied the configs, but I think that would be a much more sensible option in our case.  Thanks very much for your help! ... View more

Re: Transform not applied based on Host

by in Splunk Enterprise
‎07-13-2020 09:42 AM
‎07-13-2020 09:42 AM
Unfortunately, DEST_KEY = MetaData:Index does not appear to have helped. ... View more

Re: Transform not applied based on Host

by in Splunk Enterprise
‎07-13-2020 09:10 AM
‎07-13-2020 09:10 AM
I should point out that I just realized that my rule may not be working because these particular logs are coming from the indexer's own /var/log/messages file (rsyslog), so my IP address is perhaps not going to work in this case.  I initially tried using a host name which also didn't work, however perhaps your suggestion will work in either case.  I will report back shortly.  Thanks! ... View more

Transform not applied based on Host

by in Splunk Enterprise
‎07-13-2020 08:42 AM
‎07-13-2020 08:42 AM
HI there, I'm trying to redirect logs from syslog device to a separate index..   Does anyone see an error in this config?       [host::aaa.bbb.ccc.ddd] TRANSFORMS-juniper_change_index = juniper_change_index [juniper_change_index] SOURCE_KEY = MetaData:Host REGEX = (.*) DEST_KEY = _MetaData:Index FORMAT = juniper     Logs are still going to the main index.  I have other working transforms that operate on sourcetypes and other fields, but for some reason, I've been unable to get this one based on source address working. Thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-13-2020 02:14 PM