Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to modify sourcetype and host based off of the new sourcetype

nateloepker
Explorer
‎03-14-2024 01:02 PM

Hello,

I'm attempting to change the sourcetype and host on a single event. The tricky part is I want the second transform based on the change from the first transform

For Example,

My data comes in as

 

index=main

host=heavy_forwarder

sourcetype=aws:logbucket

 

I want the data to change to

 

index=main

host=amazonfsx.host

sourcetype=XmlWinEventLog

 

The catch is that I have other sourcetypes coming in as aws:logbucket and getting transformed to various other sourcetypes (cloudtrail, config, etc). On these events I do not want to run the regex to change the host value

 

If I have a props.conf file that states

TRANSFORMS-modify_data = aws_fsx_sourcetype, aws_fsx_host

And a transforms.conf of

[aws_fsx_sourcetype]
SOURCE_KEY = MetaData:Source
REGEX = ^source::s3:\/\/fsxbucket\/.*
FORMAT = sourcetype::XmlWinEventLog
DEST_KEY = MetaData:Sourcetype

[aws_fsx_host]
REGEX = <Computer>([^.<]+).*?<\/Computer>
FORMAT = host::$1
DEST_KEY = MetaData:Host

 

I'm worried this will have unexpected results on the other sourcetypes that aws:logucket has, like cloudtrail and config.

If I break it out with two separate transforms, like this

 

TRANSFORMS-modify_data = aws_fsx_sourcetype

TRANSFORMS-modify_data2 = aws_fsx_host

 

I'm worried the typing pipeline won't see the second transform.

What is the most effective way to accomplish this?

 

Thanks,
Nate

Labels (4)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-14-2024 01:31 PM

Altering host field is one of least desirable alterations but it has to be done from time to time.  In your case, you probably have to use a calculated field.

Reply

nateloepker
Explorer
‎03-14-2024 02:02 PM

I'm going to try that. I'm seeing now the Windows App has a default transformation called "WinEventXmlHostOverride" that will override the host with the "Computer" Xml value. Do you see any negative from doing this at search-time rather than index-time?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-14-2024 04:29 PM

Calculated field and transforms are also search time.  The general advice is to be very careful in making index time calculations. (Except filtering down.)

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...