Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to force the host with syslog sourcetype

yannK
Splunk Employee
Splunk Employee
‎02-20-2013 10:46 AM

This is a common issue with the syslog sourceytype.
By default it behave differently from the other inputs, the host is extracted from the events.

#inputs.conf

[monitor:///var/log/messages]
sourcetype=syslog
host=myhostname

with the events :
Feb 19 22:06:35 10.21.24.612 INFO I am a fabulous server

The final host will be 10.21.24.612 not myhostname

I want to change the behavior.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-20-2013 10:49 AM

The solution is to force the host in the inputs.conf and use another sourcetype than syslog without host extraction

  • define the desired host in the inputs.conf (of the default ones in the $SPLUNK_HOME/etc/system/local/inputs.conf).
  • apply this sourcetype syslog_nohost at the forwarder level in inputs.conf
  • define this props.conf on the indexers
  • if needed you can also define a sourcetype renaming at search time to transparently rename syslog_nohost to syslog, see manager > fields > sourcetype renaming

example
# inputs.conf on the forwarder
[monitor:///var/log/messages]
sourcetype=syslog_nohost
host=myhostiwanttoenforce

# props.conf on the indexers
[syslog_nohost]
#based on a copy of syslog version 5.0.2
#TRANSFORMS = syslog-host
#disabling the host extraction
TRANSFORMS =
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-20-2013 10:49 AM

The solution is to force the host in the inputs.conf and use another sourcetype than syslog without host extraction

  • define the desired host in the inputs.conf (of the default ones in the $SPLUNK_HOME/etc/system/local/inputs.conf).
  • apply this sourcetype syslog_nohost at the forwarder level in inputs.conf
  • define this props.conf on the indexers
  • if needed you can also define a sourcetype renaming at search time to transparently rename syslog_nohost to syslog, see manager > fields > sourcetype renaming

example
# inputs.conf on the forwarder
[monitor:///var/log/messages]
sourcetype=syslog_nohost
host=myhostiwanttoenforce

# props.conf on the indexers
[syslog_nohost]
#based on a copy of syslog version 5.0.2
#TRANSFORMS = syslog-host
#disabling the host extraction
TRANSFORMS =
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...