Is it possible to configure transforms.conf on a f...

ekremikizoglu · ‎06-07-2016

Hi,

I want to add hostname or host IP to the head of each row before forwarding. Is it possible with transforms.conf?
Can a Splunk forwarder learn and set host info to any token so we can use it conf files?

example raw log :
06-07-2016 14:44:18.878 +0300 INFO Blablabal - Msgmsgmsgmsgmsgm
06-07-2016 14:44:20.754 +0300 WARN Blablsaeccl - Msgmsgm dasas

After transform:
HOSTNAME 06-07-2016 14:44:18.878 +0300 INFO Blablabal - Msgmsgmsgmsgmsgm
HOSTNAME 06-07-2016 14:44:20.754 +0300 WARN Blablsaeccl - Msgmsgm dasas
or
xx.xxx.xx.xx 06-07-2016 14:44:18.878 +0300 INFO Blablabal - Msgmsgmsgmsgmsgm
xx.xxx.xx.xx 06-07-2016 14:44:20.754 +0300 WARN Blablsaeccl - Msgmsgm dasas

Thanks.

ssadh · ‎06-21-2016

So rummaging through the documentation for outputs.conf, I found that there is an option for sending out syslog output.
where you can set the hostname field -

syslogSourceType = <string>

the excerpt from the same documentation,

Data which does not match the rules has a header, optionally a timestamp (if defined in 'timestampformat'), and a hostname added to the front of the event. This is how Splunk causes arbitrary log data to match syslog expectations.

you can try this out , hope it works.

ddrillic · ‎06-07-2016

You can/should do it on the indexer tier.

ekremikizoglu · ‎06-07-2016

I am forwarding these event another host which is different from indexer. So i can not use indexer for this. So i need to know this logs where it come.

Is it possible to configure transforms.conf on a forwarder to add a hostname or host IP to the head of each row before forwarding?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases