Hey guys,
so I'm rather new to Splunk, and we're implementing a small cluster for logfile collection and SIEM purposes.
One of our systems is a MobileIron Core Appliance, which features a built-in Splunk forwarder 6.0.3, while the rest of our Splunk system is running 6.5.3.
This system is using a fixed hostname for the events forwarded to our Splunk system, and the system automatically uses the configured (external) system name, but I'd like to use our internal host name for these events.
So, following the documentation and a few threads here on Splunk answers, I tried to set up the following:
/opt/splunk/etc/master-apps/_cluster/local/props.conf
[host::vsp.my-domain.de]
TRANSFORMS-host_rename = host_rename-vsp.my-domain.de
/opt/splunk/etc/master-apps/_cluster/local/transforms.conf
[host_rename-vsp.my-domain.de]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::somehost.local.lan
This all is being distributed by the cluster master through the cluster bundle - I verified the files on the indexers.
Still, all events show up with the original hostname.
I have this in the cluster bundle to:
/opt/splunk/etc/master-apps/_cluster/local/props.conf
[host::10.0.1.2]
TRANSFORMS-drop = drop-loadbalancer
[host::10.0.1.3]
TRANSFORMS-drop = drop-loadbalancer
/opt/splunk/etc/master-apps/_cluster/local/transforms.conf
[drop-loadbalancer]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
These change works perfectly fine, so I'm pretty sure it's not an issue with the cluster distribution or the regex.
Any idea on what kind of stupid mistake I might have made?
↧