I'm very new to Splunk. I'm trying to use transforms.conf and props.conf to set the host value to something based on a regex. Every time I try it, the host value is always set to $1.
This is my transforms.conf
[setHost]
DEST_KEY = MetaData:Host
SOURCE_KEY = MetaData:Source
REGEX = webserver\d{0,2}-\d{0,3}
FORMAT = host::"$1"
This is my props.conf
[iis]
TRANSFORMS-setHost = setHost
The source that it's coming from looks like this /var/logs/webserver01-003/blah.log
How do I get this to work?
Thank you.
Or much simpler: set host_segment = 3
in inputs.conf and you can forget about that whole TRANSFORMS stuff 🙂
Or much simpler: set host_segment = 3
in inputs.conf and you can forget about that whole TRANSFORMS stuff 🙂
Remove the double quotes around $1 in your FORMAT, and add a capturing group to your REGEX around whatever you want the host value to be. $1 refers to the first capturing group, without a capturing group there's nothing to refer to.