Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

forwarded logs original address as source

gregwilliams
Path Finder
‎03-08-2012 11:48 AM

We currently have another syslog server that is handling some network related scripting and can't be shutdown, and rather than add the splunk as another log server on the switches we want to just forward the logs from the current log server to splunk. This works just fine, except how do I take the logs and change the source? The host shows the current log server as xxx.xxx.xxx.xxx for all logs, but within the log it has this statement: "Original Address=xxx.xxx.yyy.yyy" How do I change the host to xxx.xxx.yyy.yyy instead of the xxx.xxx.xxx.xxx?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-08-2012 12:27 PM

Use a transformation to do this. It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in $SPLUNK_HOME/etc/system/local. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).

props.conf

[host::syslogServer]
TRANSFORMS-t1=rename_host

transforms.conf

[rename_host]
REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
DEST_KEY=MetaData:Host
FORMAT=host::$1

This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.

Feel free to follow up with more questions if needed!

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-08-2012 12:27 PM

Use a transformation to do this. It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in $SPLUNK_HOME/etc/system/local. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).

props.conf

[host::syslogServer]
TRANSFORMS-t1=rename_host

transforms.conf

[rename_host]
REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
DEST_KEY=MetaData:Host
FORMAT=host::$1

This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.

Feel free to follow up with more questions if needed!

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-12-2012 08:35 AM

You can't do a DNS lookup as part of the transform, but Splunk does ship with a script that can be used to with a Splunk lookup. Look at "Example of external fields lookup" within this manual page http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Addfieldsfromexternaldatasources

0 Karma
Reply
Solved! Jump to solution

gregwilliams
Path Finder
‎03-08-2012 12:42 PM

Works great. Is there any way to do DNS lookup on that IP then?

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...