The Cisco IOS app displays all entries as originating with the "Host" IP Address using Syslog Relay Address instead of Actual IP Address of the devices. The original IP address of the source is maintained in the SYSLOG message with the format Original Address=xxx.xxx.yyy.yyy
I have modified splunk using the advice shown here which did correctly change the source IP addresses in the main index for the splunk search application. The Cisco IOS App, however continues to parse the SYSLOG relay IP in the host field of the app.
I modified the props.conf and transforms.conf in the Cisco IOS TA folder, however it did not change the behaviour.
Does anyone know how I can change the App so that the host ip address shown and used is the actual (original) IP address vice the address of our relay?