Getting Data In

Props/transforms issue with host extraction and Line breaking

sidhantbhayana
Path Finder

Transforms.conf

[force_host_for_testdata]
DEST_KEY = MetaData:Host
REGEX = server:([^\]+)
FORMAT = host::$1

[force_host_for_testdata_1]
DEST_KEY = MetaData:Host
REGEX = MQ:\s+([^\]+)

FORMAT = host::$1

Props.conf
[test_st]
TZ = GMT
LINE_BREAKER = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+Information:
SHOULD_LINEMERGE = false
TRANSFORMS-force_host_for_testdata = force_host_for_testdata
TRANSFORMS-force_host_for_testdata_1 = force_host_for_testdata_1

This config works on my local machine, but when pushed to heavy forwarders it doesn't work!

Need suggestions as to what is going wrong?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Is test_st sourcetype data coming from Heavy Forwarder ? If yes then props.conf and transforms.conf should be on HF and not on IDX.

Additionally can you please provide some sample data (Please mask any sensitive data).

0 Karma

sidhantbhayana
Path Finder

It is coming from HF.

2017-08-02 02:16:15 Information: Process returned code XXX
ProcessLauncher\PL (Fast)
Command output:
Operating system is 32 bit
Application is running in 32 bit mode

SOME PROCESS SUCCESSFULLY EXECUTED - CODE XXX

Process exited with code XXX
Parameters:
Test.exe /component:Solution /process:"Test Process" /platform:Data /server:test-server\ABCD,12345 /db:TEST
Start: 02 Aug 2017 02:15:31
End: 02 Aug 2017 02:16:15

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If your server name is test-server then try below config in transforms.conf

[force_host_for_testdata]
DEST_KEY = MetaData:Host
REGEX = server\:([^\\]+)
FORMAT = host::$1

And you have provided only one sample data so I am not sure about another config but give this a try or provide sample data for regex MQ:\s+([^\]+)

[force_host_for_testdata_1]
DEST_KEY = MetaData:Host
REGEX = MQ\:\s+([^\\]+)
FORMAT = host::$1
0 Karma

sidhantbhayana
Path Finder

Found it working, thanks

0 Karma

mayurr98
Super Champion

you need to put props.conf and transforms.conf on indexer not on forwarders. and then restart the indexer.

0 Karma

sidhantbhayana
Path Finder

this feed is coming from HF so is there still a need to deploy on indexers

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...