Hello.
My CAS server send this kind of even through syslog:
2014-07-04 10:00:01,527 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-71914-GqsbHllVCbZDwi2gpdGe-cas3.domain.tld
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Jul 04 10:00:01 CEST 2014
CLIENT IP ADDRESS: 129.94.143.19
SERVER IP ADDRESS: cas.domain.tld
=============================================================
For an unknown reason, the line "WHEN: ..." is incorrectly assigned to host 'CEST'. The documentation about fixing invalid host field (http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Handleincorrectly-assignedhostvalues) is focused about correcting data incorrectly imported, not about fixing an extraction error on the fly.
Given that's a syslog source type, is there way to force 'host' value as the one from the dedicated syslog element ?
... View more