I have a dedicated server which is running syslog-ng and a universal forwarder.
i want to set 3 things one of them dynamically:
# /opt/splunkforwarder/etc/system/local/inputs.conf
[monitor:///data/syslog-ng/logs/u514/cisco/ios/*/*.log]
sourcetype = syslog
source = syslog-ng:udp514
host_segment = 7
The problem is that i cannot set source and host_segment (or host_regex) at the same time.
Because the host_segment uses (why ever on earth i don't know) the source string.
Host segment defines the "7" position as the host variable.
So if i define the source by myselft host_segment will fail.
**Is it possibile to have a manually created source field and a dynamically generated host field?**
I could do this by creating a new props.conf and transforms.conf to manipulate the source segment. But i do not want this to be generally done... There are a few logs for which i do not want that.
↧