All Apps and Add-ons

Unable to set host on index time

manderson7
Contributor

I'm bringing in Cisco Router logs via syslog and using the TA-Cisco_ios addon. I have some flaky log entries that I've massaged as much as I can when bringing it in, and now have to set the host from the log data. My logs look like:

Apr 24 14:07:28 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:30.191 EDT: **Entry  found in cache**
Apr 24 14:07:18 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:20.095 EDT: CDP-PA: version 2 packet sent out on Multilink1
Apr 24 14:06:41 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:44.175 EDT: BGP: topo global:VPNv4 Multicast:base Scanning routing tables
Apr 24 14:06:22 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:24.963 EDT: CDP-PA: version 2 packet sent out on Multilink1

My props.conf looks like:

#Define hostname  
[sourcetype::cisco:ios]
Transforms-obfuscated-0-gw=define_host

and Transforms looks like

[define_host]
REGEX = ^(?:[^ \n]* ){4}([^:]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

Can someone tell me where to go from here? That regex pulls the hostname according to regex101.

0 Karma
1 Solution

mikaelbje
Motivator

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

View solution in original post

mikaelbje
Motivator

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

manderson7
Contributor

That did it for the most part, thanks! It's bringing in a couple more values for the host field, but that's probably due to my regex.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...