Getting Data In

continuing issues with host override

mloven
Path Finder

I have a 4.3 indexer and a 4.3 forwarder. The forwarder is reading the contents of a file and sending the messages over to the indexer. The messages that are written to the file are from multiple hosts. When the messages are forwarded to the indexer, they all show as being from one single host (the forwarder). I attempted to do a host override, and, for a brief time, it worked. I left the system alone for a while and came back to it a week or so later. Now, it's back to reading everything from a single host.

I'm the only person that has access to the server (it's still in dev), and I'm pretty sure I didn't make any changes before I left it, but perhaps I did... Here's what I'm doing...

On the indexer, /opt/splunk/etc/system/local/transforms.conf says this:

h_o_transform]
DEST_KEY = MetaData:Host
REGEX = ZENOSS-MIB::evtDevice = STRING: "(\S+)"

And props.conf (in the same directory) says this:

[source::/var/log/snmptraps.log]
TRANSFORMS-hostoverride=h_o_transform

A couple notes:

1. that source in the props.conf is the file that the forwarder is reading. It resides on the forwarder itself. I wasn't sure if there was some sort of distinction I needed to make to specify that that source was from a particular forwarder?
2. the transform listed needs to match events with strings like this:

ZENOSS-MIB::evtDevice.0 = STRING: "devicehostname.com"

Where devicehostname.com is the part of the event that I want to make into the "new" hostname. The quotes are part of the event. And the ".0" is present in some events, but not in others. The regex I'm using works on a couple regex tester sites I visited..

So I'm not sure what I'm doing wrong. I suspect that it may be the [source::...] line in my props.conf, but I couldn't find anything that said that I should do anything differently than I'm doing.

And, for the record, I asked a very similar question to this a couple weeks ago, but I've changed a couple things since then and felt it would be better to just ask the question again rather than resurrect that one...

Thank you!

0 Karma

kristian_kolb
Ultra Champion

Two simple stupid things to check:

  1. You are not missing the leading square bracket in the transforms stanza name?

  2. You are applying the setting on the right machine? If your forwarder is a Heavy Forwarder, the props/transforms stuff should go there, if it is a LightWeight or Universal Forwarder, the config should be done on the indexer.

Normally, things do not stop working if unless you (or somebody else) made a change somewhere

/kristian

Drainy
Champion

On your transform you also need the line;

FORMAT = host::$1
0 Karma

mloven
Path Finder

actually, that line is already in there... I'm not sure how I missed it in the copy/paste process... This is my transforms.conf

h_o_transform]
DEST_KEY = MetaData:Host
REGEX = ZENOSS-MIB::evtDevice = STRING: "(\S+)"
FORMAT = host::$1

Thanks for the quick answer though. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...