Route syslog data to specific index by host

joshrabinowitz · ‎09-14-2011

Tried suggestions from other Q/A, but alas. Trying to route syslog data from one host to an index other than main. the host is a netapp filer and there is no option to install a forwarder, so it's just sending data on 514. single indexer/search head, target index is setup and named 'netapp'

props.conf

[host::host1.fqdn]
TRANSFORMS-movetonetappindex = netappindex

transforms.conf

[netappindex]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = netapp

Running 4.2.1, build 98164 on rhel5_5 2.6.18-238.12.1.el5

gkanapathy · ‎09-14-2011

It's possible that your host value is not in fact host.fqdn. If your sourcetype is syslog, Splunk applies a transform that modifies the host according to what's in the event data. But the selection of rules from props.conf is applied based on the *un*transformed host, so it may be the IP address, or something.

This is much easier to deal with if you receive the data using syslog or syslog-ng or rsyslog, write it to a set of files split out by hostname, and then have Splunk monitor those files, using the host_segment or host_regex to set the host name.

Also (and this isn't why it's failing), don't use .* as your matching regex. There's no need to match up against the entire string. Simply . or (?=) will work fine.

joshrabinowitz · ‎09-14-2011

what else could the event data have for 'host' [if not the ip] and where could i find this info? thx

joshrabinowitz · ‎09-14-2011

tried using the ip instead of hostname, same result. should also point out that syslog comes in on 514, then iptables routes it to 9514 and splunk has a UDP input on 9514.

Route syslog data to specific index by host

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases