Getting Data In

invalid host extraction

rousse
New Member

Hello.

My CAS server send this kind of even through syslog:

2014-07-04 10:00:01,527 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-71914-GqsbHllVCbZDwi2gpdGe-cas3.domain.tld
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Jul 04 10:00:01 CEST 2014
CLIENT IP ADDRESS: 129.94.143.19
SERVER IP ADDRESS: cas.domain.tld
=============================================================

For an unknown reason, the line "WHEN: ..." is incorrectly assigned to host 'CEST'. The documentation about fixing invalid host field (http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Handleincorrectly-assignedhostvalues) is focused about correcting data incorrectly imported, not about fixing an extraction error on the fly.

Given that's a syslog source type, is there way to force 'host' value as the one from the dedicated syslog element ?

Tags (2)
0 Karma

grijhwani
Motivator

Your syslog extraction is following correct assumptions for the default syslog format. As a norm, syslog consists of single line records which are complete in themselves and generally take the form:

{date} {hostname/ip} {substance of syslog entry}

The auto-scan is "correctly" detecting the host name after a date entry for the default syslog type. You will need to override this source as a different sourcetype, and then tweak the extraction parameters.

0 Karma

rousse
New Member

Assuming than any date or host values found in {substance of syslog entry} section should override corresponding values found in dedicated sections is indeed consistent with "last occurence wins" behaviour, but isn't really meaningful here. Syslog format is often criticized for being under-structured, but this defeat even available structuration 🙂

Ok, I'll try to tweak the extraction parameters. Thanks for the advice.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...