Hi,
I want to add hostname or host IP to the head of each row before forwarding. Is it possible with transforms.conf?
Can a Splunk forwarder learn and set host info to any token so we can use it conf files?
example raw log :
06-07-2016 14:44:18.878 +0300 INFO Blablabal - Msgmsgmsgmsgmsgm
06-07-2016 14:44:20.754 +0300 WARN Blablsaeccl - Msgmsgm dasas
After transform:
HOSTNAME 06-07-2016 14:44:18.878 +0300 INFO Blablabal - Msgmsgmsgmsgmsgm
HOSTNAME 06-07-2016 14:44:20.754 +0300 WARN Blablsaeccl - Msgmsgm dasas
or
xx.xxx.xx.xx 06-07-2016 14:44:18.878 +0300 INFO Blablabal - Msgmsgmsgmsgmsgm
xx.xxx.xx.xx 06-07-2016 14:44:20.754 +0300 WARN Blablsaeccl - Msgmsgm dasas
Thanks.
So rummaging through the documentation for outputs.conf, I found that there is an option for sending out syslog output.
where you can set the hostname field -
syslogSourceType = <string>
the excerpt from the same documentation,
Data which does not match the rules has a header, optionally a timestamp (if defined in 'timestampformat'), and a hostname added to the front of the event. This is how Splunk causes arbitrary log data to match syslog expectations.
you can try this out , hope it works.
You can/should do it on the indexer tier.
I am forwarding these event another host which is different from indexer. So i can not use indexer for this. So i need to know this logs where it come.