Solved: Renaming Host Dynamically

peter_gianusso · ‎09-18-2012

Trying to assign the "esxi_hosts" sourcetype to any event that has a value of "vm[0-9][0-9]" for the host field:

inputs.conf

[monitor://\\njros1bva0597\d$\LogFiles\W3SVC1\]
disabled = 0
host = VM99
index=imaging
whitelist = \.log$

props.conf

[source::...\\ex*.log] 
sourcetype = VM88

[source::...\\CAPPM*.log] 
sourcetype = VM11

[VM88]

TRANSFORMS-hostname = rewrite_sourcetype_from_host

transforms.conf

[rewrite_sourcetype_from_host]
SOURCE_KEY = MetaData:Host
REGEX = vm\d\d
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::esxi_hosts

peter_gianusso · ‎09-18-2012

a fix to the regex of
vm\d\d
to
VM\d\d
fixed the issue

View solution in original post

peter_gianusso · ‎09-18-2012

a fix to the regex of
vm\d\d
to
VM\d\d
fixed the issue

peter_gianusso · ‎09-18-2012

no that won't fix the issue given the scenario...the source type is dynamically assigned in the props.conf

piebob · ‎09-18-2012

let us know if this fixes the issue, and i will convert Kristian's comment to an answer 🙂

peter_gianusso · ‎09-18-2012

there are multiple log files in the directory and they are being assigned a sourcetype in the props.conf dynamically...I tried to simplify the information because I didn't think it was relevant...I will add the stanza

kristian_kolb · ‎09-18-2012

maybe I'm missing something... can't you just set the sourcetype in the monitor stanza in inputs.conf

[monitor] sourcetype=esxi_hosts blah blah blah etc. etc.

peter_gianusso · ‎09-18-2012

source type always ends up as VM88

Renaming Host Dynamically

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!