How to apply rex for a field on mutiple sources

theouhuios · ‎03-13-2014

Hello

I am trying to change the data of the host field which has already been indexed. The host field has values in 3 different formats . What I am looking to do is to take the value of IP as it is and then for any FQDN's just extract the first part and ignore rest.

IP Address : 10.1.1.1
FQDN 1 = abc123.company.com
FQDN 2 = abc123.ntwrk.company.com

So when I use this regex on the SH rex field=host "(?P<host>\d+\.\d+\.\d+\.\d+|([A-Za-z0-9]+))" it works without any issues. I have to apply this on /var/log/splunk/.../.../.../*.log a path which is being used as a source for multiple indexes.

So the props.conf I have as

[source::/var/log/splunk/.../.../.../*.log]
TRANSFORMS-replacehostname = replace_host

and transforms .conf as

   [replace_host]
    SOURCE_KEY=fields:host
    REGEX = ^host::(\d+\.\d+\.\d+\.\d+|([A-Za-z0-9]+))
    FORMAT = host::$1
    DEST_KEY = Metadata:Host

I am sending this to SH and it looks like it doesn't make any change. Any help on why its not working?

krish3 · ‎03-13-2014

And also as an alternative you can place your rex command in the props.conf as this:

[sourcetype]
.....
EXTRACT-host = (?P<host>\d+\.\d+\.\d+\.\d+|([A-Za-z0-9]+))

no need of using transforms.conf here

krish3 · ‎03-13-2014

place it on the indexer as well... Since splunk refers transforms.conf during index time.

krish3 · ‎03-13-2014

Try this...

In props.conf:

REPORT-gethost = gethost

In transforms.conf:

[gethost]
SOURCE_KEY = _raw
REGEX = (?<extracted_newhost>(\d+\.\d+\.\d+\.\d+|([A-Za-z0-9]+))$

theouhuios · ‎03-14-2014

Even this doesn't work, when I try it on [source::/var/log/splunk/.../.../.../*.log]

theouhuios · ‎03-13-2014

searchhead

krish3 · ‎03-13-2014

where are you placing your props.conf and transforms.conf..

How to apply rex for a field on mutiple sources

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!