Solved: Unable to set host on index time

manderson7 · ‎04-25-2017

I'm bringing in Cisco Router logs via syslog and using the TA-Cisco_ios addon. I have some flaky log entries that I've massaged as much as I can when bringing it in, and now have to set the host from the log data. My logs look like:

Apr 24 14:07:28 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:30.191 EDT: **Entry  found in cache**
Apr 24 14:07:18 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:20.095 EDT: CDP-PA: version 2 packet sent out on Multilink1
Apr 24 14:06:41 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:44.175 EDT: BGP: topo global:VPNv4 Multicast:base Scanning routing tables
Apr 24 14:06:22 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:24.963 EDT: CDP-PA: version 2 packet sent out on Multilink1

My props.conf looks like:

#Define hostname  
[sourcetype::cisco:ios]
Transforms-obfuscated-0-gw=define_host

and Transforms looks like

[define_host]
REGEX = ^(?:[^ \n]* ){4}([^:]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

Can someone tell me where to go from here? That regex pulls the hostname according to regex101.

mikaelbje · ‎04-25-2017

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

View solution in original post

mikaelbje · ‎04-25-2017

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

manderson7 · ‎04-25-2017

That did it for the most part, thanks! It's bringing in a couple more values for the host field, but that's probably due to my regex.

Unable to set host on index time

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life