Rewriting sourceHost automatically

Follow

Jon Fortes

• October 25, 2018 13:38

I'd like to force sourceHost to be just a machine's hostname and not the fully qualified domain name.  Is there a way to to this through sumo.conf or using a rule?

I'm already setting the collector name like this (via puppet, setting the name variable in sumo.conf), but I'm not seeing any way to force sourceHost this way.

 

 

0

• 

  Latimer Luis

  • November 02, 2018 18:10

  Jon - would it be safe to assume that the _sourceHost would be equivalent to the _collector name in this case? 
  
  If so, you can configure a Field Extraction Rule (FER) with this parse expression:
  
  _collector as _sourceHost
  
  The tricky thing could be what metadata you would need to use to limit the search scope for this FER. Maybe something like the following would work: 
  
  _sourceHost=*<domain1>.com or _sourceHost=*<domain2>.com

  0

  Comment actions Permalink
• 

  Jon Fortes

  • December 01, 2018 15:03

  Yes, in this case  _sourceHost would be equivalent to the _collector name.

   

  0

  Comment actions Permalink

Please sign in to leave a comment.