I have a 4.3 indexer and a 4.3 forwarder. The forwarder is reading the contents of a file and sending the messages over to the indexer. The messages that are written to the file are from multiple hosts. When the messages are forwarded to the indexer, they all show as being from one single host (the forwarder). I attempted to do a host override, and, for a brief time, it worked. I left the system alone for a while and came back to it a week or so later. Now, it's back to reading everything from a single host.
I'm the only person that has access to the server (it's still in dev), and I'm pretty sure I didn't make any changes before I left it, but perhaps I did... Here's what I'm doing...
On the indexer, /opt/splunk/etc/system/local/transforms.conf says this:
h_o_transform]
DEST_KEY = MetaData:Host
REGEX = ZENOSS-MIB::evtDevice = STRING: "(\S+)"
And props.conf (in the same directory) says this:
[source::/var/log/snmptraps.log]
TRANSFORMS-hostoverride=h_o_transform
A couple notes:
1. that source in the props.conf is the file that the forwarder is reading. It resides on the forwarder itself. I wasn't sure if there was some sort of distinction I needed to make to specify that that source was from a particular forwarder?
2. the transform listed needs to match events with strings like this:
ZENOSS-MIB::evtDevice.0 = STRING: "devicehostname.com"
Where devicehostname.com is the part of the event that I want to make into the "new" hostname. The quotes are part of the event. And the ".0" is present in some events, but not in others. The regex I'm using works on a couple regex tester sites I visited..
So I'm not sure what I'm doing wrong. I suspect that it may be the [source::...] line in my props.conf, but I couldn't find anything that said that I should do anything differently than I'm doing.
And, for the record, I asked a very similar question to this a couple weeks ago, but I've changed a couple things since then and felt it would be better to just ask the question again rather than resurrect that one...
Thank you!
Two simple stupid things to check:
You are not missing the leading square bracket in the transforms stanza name?
You are applying the setting on the right machine? If your forwarder is a Heavy Forwarder, the props/transforms stuff should go there, if it is a LightWeight or Universal Forwarder, the config should be done on the indexer.
Normally, things do not stop working if unless you (or somebody else) made a change somewhere
/kristian
On your transform you also need the line;
FORMAT = host::$1
actually, that line is already in there... I'm not sure how I missed it in the copy/paste process... This is my transforms.conf
h_o_transform]
DEST_KEY = MetaData:Host
REGEX = ZENOSS-MIB::evtDevice = STRING: "(\S+)"
FORMAT = host::$1
Thanks for the quick answer though. 🙂