Host does not get properly extracted for linux_secure (I get the syslog server hostname instead)
I have tried many things:
props.conf
[linux_secure]
TRANSFORM = syslog-host
props.conf
[linux_secure]
TRANSFORM-host = syslog-host
props.conf
[linux_secure]
TRANSFORMS-zz_fix_host = syslog_add_fqdn
transforms.conf
[syslog_add_fqdn]
DEST_KEY = MetaData:Host
SOURCE_KEY = MetaData:Host
REGEX = host::.
FORMAT = host::testrename
None of these options work (including after restart).
If you issue the following command, what do you get for the [linux_secure] stanza?
$SPLUNK_HOME/bin/splunk btool --debug props list | more
Also, I wouldn't set the host name using a transform, when you can easily set it in props.conf, or even inputs.conf
host=testrename
This should work -- unless the system is supplying
TRANSFORMS = syslog-host
which it does for some known sourcetypes. The first command will help you figure that out.
Finally, a very important question: where is your props.conf? What is the location of the file? Configuration file precedence is very important in Splunk; if you understand it, great! But if not, take a look at Configuration File Precedence in the Admin manual.
Alexander, can you paste a sample of our syslog output here?