Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to prevent linux_message_syslog input from overriding the FQDN of the host sent from a universal forwarder?

daniel333
Builder
‎01-27-2017 09:57 AM

All,

I have an input in linux_message_syslog that seems to be working fine, but the universal forwarder is providing the FQDN of the host back to Splunk. This specific input seems to be overriding the hostname to the one found in the log, which is just the host name and not the FQDN. Any recommendation on how to handle that? 

Jan 27 17:50:05 myawesomeserver clamd[23110]: SelfCheck: Database status OK.

so I end up with 

host=myawesomeserver AND host=myawesomeserver.domain.local

thoughts?

Reply
1 Solution
Solved! Jump to solution
Solution

Raschko
Communicator
‎01-27-2017 10:50 AM

Have a look at the following btool command:

splunk btool props list linux_messages_syslog

Here you find a TRANSFORM for the host part:

TRANSFORMS = syslog-host

Using another btool command you will see that the host field (for linux_messages_syslog) is extracted using a regex:

splunk btool props list syslog-host

So to override this I would try to use an empty TRANSFORMS on the host or source as they have higher precedence than the sourcetype linux_messages_syslog.

Example props.conf:

[host::myawesomeserver]
TRANSFORMS =

View solution in original post

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎04-23-2020 03:02 AM

check @micahkemp answer from
https://answers.splunk.com/answers/598785/why-are-props-and-transforms-preconfigured-to-sani.html

To disable this transform, you can place this in etc/system/local/props.conf:

  [linux_messages_syslog]
  TRANSFORMS =

@Raschko answer will only work for specified host "myawesomeserver" as he is applying on host not on sourcetype. If the box is heavy forwarder receiving logs from many nix servers its better to do on HF using sourcetype.

 [host::myawesomeserver]
 TRANSFORMS =
————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

tvaniderstine
Explorer
‎08-29-2018 06:40 AM

Would a better answer have been to do the following:
copy $SPLUNK_HOME/etc/system/default/props.conf to $SPLUNK_HOME/etc/system/local/props.conf
replace all instances of syslog-host with syslog-host-full
restart splunk

Also, in transforms.conf, the only blocks that don't have descriptions are.....syslog-host and syslog-host-full. how quaint.

0 Karma
Reply
Solved! Jump to solution
Solution

Raschko
Communicator
‎01-27-2017 10:50 AM

Have a look at the following btool command:

splunk btool props list linux_messages_syslog

Here you find a TRANSFORM for the host part:

TRANSFORMS = syslog-host

Using another btool command you will see that the host field (for linux_messages_syslog) is extracted using a regex:

splunk btool props list syslog-host

So to override this I would try to use an empty TRANSFORMS on the host or source as they have higher precedence than the sourcetype linux_messages_syslog.

Example props.conf:

[host::myawesomeserver]
TRANSFORMS =
Reply
Solved! Jump to solution

Raschko
Communicator
‎01-27-2017 12:44 PM

Forgot to mention it if anyone wonders - this should be done on the receiving indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...