Splunk Search

Route syslog data to specific index by host

joshrabinowitz
Path Finder

Tried suggestions from other Q/A, but alas. Trying to route syslog data from one host to an index other than main. the host is a netapp filer and there is no option to install a forwarder, so it's just sending data on 514. single indexer/search head, target index is setup and named 'netapp'

props.conf

[host::host1.fqdn]
TRANSFORMS-movetonetappindex = netappindex

transforms.conf

[netappindex]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = netapp

Running 4.2.1, build 98164 on rhel5_5 2.6.18-238.12.1.el5

Tags (2)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It's possible that your host value is not in fact host.fqdn. If your sourcetype is syslog, Splunk applies a transform that modifies the host according to what's in the event data. But the selection of rules from props.conf is applied based on the *un*transformed host, so it may be the IP address, or something.

This is much easier to deal with if you receive the data using syslog or syslog-ng or rsyslog, write it to a set of files split out by hostname, and then have Splunk monitor those files, using the host_segment or host_regex to set the host name.

Also (and this isn't why it's failing), don't use .* as your matching regex. There's no need to match up against the entire string. Simply . or (?=) will work fine.

joshrabinowitz
Path Finder

what else could the event data have for 'host' [if not the ip] and where could i find this info? thx

0 Karma

joshrabinowitz
Path Finder

tried using the ip instead of hostname, same result. should also point out that syslog comes in on 514, then iptables routes it to 9514 and splunk has a UDP input on 9514.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...