Forums: SplunkAdministration: hostname extraction for different sourcetype

Previous Topic: Splunk LIcensing Help - 3.4.10  |   Next Topic: Splunk database


Posts 1–4 of 4  |  Post to this topic
1
ccan's Mugshot posted by: ccan  |  posts
date: October 15, 2009
permalink

Hi,

i have installed a light forwarder on one of my syslog server (B), forwarding to the main server where indexing is done. On the forwarder B i have set a different source type than "syslog" to create easier filters in the roles assigned to user.
My problem is that on the main server the host filed is allways set to the hostname of the Forwarder B instead extracting from the message,

If i set the sourcetype on the forwarder to "syslog" then the host field is extracted correctly.

Do i have to do host field extraction for this sourcetype as well? If yes how and where (props.conf, transform.conf)?

thanks

2
araitz's Mugshot posted by: araitz  |  posts
date: October 15, 2009
permalink

If you look in $SPLUNK_HOME/etc/system/default/props.conf, you will see that we do a TRANSFORM for the sourcetype syslog to pull out the host field:

[syslog]
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

If you add this TRANSFORM to the sourcetype that you want to perform syslog host extraction on in $SPLUNK_HOME/etc/system/local/props.conf, this should work for you. For example, if the sourcetype is "foobar":

[foobar]
TRANSFORMS = syslog-host

3
ccan's Mugshot posted by: ccan  |  posts
date: October 23, 2009
permalink

thanks this works fine.
having your attention i would like to address another host extraction problem.
my hosts are extracted with the IPaddress and two other sets of digits (might be interface and port-> eg,. 213.46.173.237.227.111) instead having only the IP.

Where can i modify this extraction? I do not want to extract another field from the host field, as i think this would take additional performance.

4
gkanapathy's Mugshot posted by: gkanapathy  |  posts
date: October 23, 2009
permalink

You can override the extracts that are run, e.g. in this case if you create an entry in your local props.conf file with:

[syslog]
TRANSFORMS = my-new-syslog-extraction

The "TRANSFORMS" value will override the default "TRANSFORMS" value. You can then make a new transform "my-new-syslog-extraction" in your local transforms.conf (perhaps base it on the original "syslog-host" if you like) and it will run that instead.

Post to this topic

You must be logged in to post a reply.