http://www.splunk.com/support/forum:SplunkAdministration/3423 Mon, 13 Feb 2012 17:48:51 PST Mon, 13 Feb 2012 17:48:51 PST en-us http://creativecommons.org/licenses/by-nc-nd/2.5/ http://www.splunk.com/support/forum:SplunkAdministration/3423/11229 <p>You can override the extracts that are run, e.g. in this case if you create an entry in your local props.conf file with:</p> <p>[syslog]<br /> TRANSFORMS = my-new-syslog-extraction</p> <p>The &quot;TRANSFORMS&quot; value will override the default &quot;TRANSFORMS&quot; value. You can then make a new transform &quot;my-new-syslog-extraction&quot; in your local transforms.conf (perhaps base it on the original &quot;syslog-host&quot; if you like) and it will run that instead.</p> Fri, 23 Oct 2009 08:07:44 PDT gkanapathy http://www.splunk.com/support/forum:SplunkAdministration/3423/11229 http://www.splunk.com/support/forum:SplunkAdministration/3423/11224 <p>thanks this works fine.<br /> having your attention i would like to address another host extraction problem.<br /> my hosts are extracted with the IPaddress and two other sets of digits (might be interface and port-&gt; eg,. 213.46.173.237<strong>.227.111</strong>) instead having only the IP.</p> <p>Where can i modify this extraction? I do not want to extract another field from the host field, as i think this would take additional performance.</p> Fri, 23 Oct 2009 00:17:36 PDT ccan http://www.splunk.com/support/forum:SplunkAdministration/3423/11224 http://www.splunk.com/support/forum:SplunkAdministration/3423/11116 <p>If you look in $SPLUNK_HOME/etc/system/<strong>default</strong>/props.conf, you will see that we do a TRANSFORM for the sourcetype syslog to pull out the host field:</p> <p>[syslog]<br /> pulldown_type = true <br /> maxDist = 3<br /> TIME_FORMAT = %b %d %H:%M:%S<br /> MAX_TIMESTAMP_LOOKAHEAD = 32<br /> <strong>TRANSFORMS = syslog-host</strong><br /> REPORT-syslog = syslog-extractions<br /> SHOULD_LINEMERGE = False</p> <p>If you add this TRANSFORM to the sourcetype that you want to perform syslog host extraction on in $SPLUNK_HOME/etc/system/<strong>local</strong>/props.conf, this should work for you. For example, if the sourcetype is &quot;foobar&quot;:</p> <p>[foobar]<br /> TRANSFORMS = syslog-host</p> Thu, 15 Oct 2009 07:57:40 PDT araitz http://www.splunk.com/support/forum:SplunkAdministration/3423/11116 http://www.splunk.com/support/forum:SplunkAdministration/3423/11109 <p>Hi,</p> <p>i have installed a light forwarder on one of my syslog server (B), forwarding to the main server where indexing is done. On the forwarder B i have set a different source type than &quot;syslog&quot; to create easier filters in the roles assigned to user.<br /> My problem is that on the main server the host filed is allways set to the hostname of the Forwarder B instead extracting from the message,</p> <p>If i set the sourcetype on the forwarder to &quot;syslog&quot; then the host field is extracted correctly.</p> <p>Do i have to do host field extraction for this sourcetype as well? If yes how and where (props.conf, transform.conf)?</p> <p>thanks</p> Thu, 15 Oct 2009 02:12:05 PDT ccan http://www.splunk.com/support/forum:SplunkAdministration/3423/11109