Solved: Re: syslog field over-rides host_segment

inglisn · ‎05-23-2012

Hi,

I have a syslog server (Centos 6) with splunk 4.3.1 that receives syslog using the rsyslog daemon. The folder structure is /var/log/remote/1.2.3.4/syslog.log and I want to use the source IP address as the 'host' field.

The docs say to use host_segment, which I've done (inputs.conf shown below) but this seems to be ignored in favour of the syslog event hostname which could be IP, or could be hostname.

[monitor:///var/log/remote]
blacklist = *.gz
disabled = false
followTail = 0
index = test
sourcetype = syslog
whitelist = *.log
host_segment = 4

I've also tried manually setting it to a fixed string, and it still prefers the syslog headings. Sometimes the syslog message is that the last message repeated n times, in which case host=last.

Thanks

ziegfried · ‎05-23-2012

You can disable the syslog-host transform for the syslog sourcetype by adding the following stanza to your $SPLUNK_HOME/etc/system/local/props.conf

[syslog]
TRANSFORMS =

View solution in original post

dshpritz · ‎05-23-2012

More info:

http://blogs.splunk.com/2008/04/16/overriding-default-syslog-host-extraction/

ziegfried · ‎05-23-2012

You can disable the syslog-host transform for the syslog sourcetype by adding the following stanza to your $SPLUNK_HOME/etc/system/local/props.conf

[syslog]
TRANSFORMS =

bnorthway · ‎06-26-2015

I have the same problem (Why isn't this in the official docs for host_segment?) but I don't want to change all events of the syslog sourcetype. What should I do?

inglisn · ‎05-25-2012

Worked a treat. Thanks.

syslog field over-rides host_segment

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases