How to extract the switchname for a network device...

watsontony80 · ‎12-22-2014

I've got a server where all my networking devices report their information via syslog. On the server, I have a forwarder pushing data to my Splunk instance. However, when the Splunk server receives the information from the syslog server, the host is incorrectly identified as the syslog server's name rather than the actual network device's name. I think I need a regex to extract the host name (it's currently in a field called reported_hostname in Splunk), but I can't get the syntax right to extract it. My logs look like:

Dec 18 00:00:45 switchname/switchname 2174: Dec 18 00:00:44.133 est: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 00000995 failed to receive Accounting Response.

I'm trying to set the host name to be the switchname above. How do I extract this and get it labelled as the host off the forwarder? The logs contain more than one switchname, so I can't just do a host=name in my inputs.conf.

martin_mueller · ‎12-26-2014

You'll want something like this:

props.conf
[your_sourcetype]
...
TRANSFORMS-hostname = hostname_from_syslog

transforms.conf
[hostname_from_syslog]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+(\S+)
DEST_KEY = MetaData:Host
FORMAT = host::$1

How to extract the switchname for a network device on a forwarder as the host name instead of the syslog server's name?

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!