Splunk Search

How to edit my props.conf and transforms.conf to set the Host value to a portion of each event?

lawndart
New Member

I'm trying to set my "host" field to a portion of each event (it's traffic logs aggregated from a number of places) and I THINK I have my conf files set up correctly, but it obstinately refuses to function.

My transforms.conf:

[agg_traffic-HostSet]
REGEX = ^[^,]+,[^,]+,[^,]+,[^,]+,\d+,[^,]+[^,\n]*,[^,]+,[^,]+,([^,]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

My props.conf:

[agg_traffic]
TRANSFORMS-agg_traffic = agg_traffic-HostSet

Example csv formatted event:

2015-06-01,20150601,127.0.0.1,10.10.0.1,800,17,DNS,site02,site02,<Event continues>

So that SHOULD set host=site02 (overriding the manual host definition from the input), except it doesn't. What have I screwed up? If I dump the regex into the rex command, it works exactly like I want it to.

0 Karma
1 Solution

stephanefotso
Motivator

Ubdate your transform.conf like this, without FORMAT

My transforms.conf:

[agg_traffic-HostSet]
REGEX = ^[^,]+\,[^,]+\,[^,]+\,[^,]+\,\d+\,[^,]+(?<host>[^,])
DEST_KEY = MetaData:Host
SGF

View solution in original post

stephanefotso
Motivator

Ubdate your transform.conf like this, without FORMAT

My transforms.conf:

[agg_traffic-HostSet]
REGEX = ^[^,]+\,[^,]+\,[^,]+\,[^,]+\,\d+\,[^,]+(?<host>[^,])
DEST_KEY = MetaData:Host
SGF

lawndart
New Member

Aaaand that did it. Thanks for the quick help! Why did that work when the FORMAT option didn't?

0 Karma

stephanefotso
Motivator

The problem is the extraction. Here you have a simple REGEX with a name capturing group so you don't need to specify a FORMAT

SGF
0 Karma

lawndart
New Member

Oh, I put the files in both etc/system/local and also in apps/search/local (not at the same time), just in case that made any difference. It didn't.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...