There are two alternative solutions for this issue: >
Modify the configuration of syslog server to disable hostname chaining. This is the preferred method since it removes one of the moving parts in this equation and ensures that events being sourceypted as syslog that do not have a chained hostname are not impacted Below is a link for syslog-ng.conf reference: http://linux.die.net/man/5/syslog-ng.conf Look for "chain_hostnames"
Create a props.conf file under your $SPLUNK_HOME/etc/apps/SplunkEnterrpiseSecuritySuite/local with below content:
[syslog] TRANSFORMS = syslog-header-stripper-ts-host, syslog-host
This will tell Splunk to remove the the chained hostname and timestamp from the event and then extract the hostname from the newly modified event.
There are two alternative solutions for this issue: >
Modify the configuration of syslog server to disable hostname chaining. This is the preferred method since it removes one of the moving parts in this equation and ensures that events being sourceypted as syslog that do not have a chained hostname are not impacted Below is a link for syslog-ng.conf reference: http://linux.die.net/man/5/syslog-ng.conf Look for "chain_hostnames"
Create a props.conf file under your $SPLUNK_HOME/etc/apps/SplunkEnterrpiseSecuritySuite/local with below content:
[syslog] TRANSFORMS = syslog-header-stripper-ts-host, syslog-host
This will tell Splunk to remove the the chained hostname and timestamp from the event and then extract the hostname from the newly modified event.