Solved: host_regex vs tranforms.

a212830 · ‎02-22-2014

Hi,

I am processing lots of syslog messages via rsyslog. The messages get routed to logfiles, which have the format of system-hostname.log. In order to get the proper hostname, I had been using a transforms, but I recently realized that I could to the same via host_regex. Which is the preferred method?

rsennett_splunk · ‎02-22-2014

If there were a "Best Practice" per-se (which there really isn't, in this case) it would be as you have done, to have the host designated in the file name, since the file name is accessible from so many different configuration files. So Bravo for the accidental forethought!

It's more a consideration as to flexibility and a consideration of "what might change". The host_regex is on the inputs and therefore tied to the source. So you could still change it at index time by catching it in a transforms should you need to, on the other hand... if you have individual input monitors routing to various sourcetypes, you are repeating your host_regex declaration over and over... and should you want to make a universal change, now you have individual inputs to attend to, whereas you can build a regex in a transforms that simply grabs the host from the filename universally (or to whatever scope you require)

So the answer is: "It Depends" 🙂

It really does depend on your overall topography. And really - the host_regex is a more granular designation. It applies only to that one source on that one inputs monitor. A transforms stanza could be applied to many sources.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk · ‎02-22-2014

If there were a "Best Practice" per-se (which there really isn't, in this case) it would be as you have done, to have the host designated in the file name, since the file name is accessible from so many different configuration files. So Bravo for the accidental forethought!

It's more a consideration as to flexibility and a consideration of "what might change". The host_regex is on the inputs and therefore tied to the source. So you could still change it at index time by catching it in a transforms should you need to, on the other hand... if you have individual input monitors routing to various sourcetypes, you are repeating your host_regex declaration over and over... and should you want to make a universal change, now you have individual inputs to attend to, whereas you can build a regex in a transforms that simply grabs the host from the filename universally (or to whatever scope you require)

So the answer is: "It Depends" 🙂

It really does depend on your overall topography. And really - the host_regex is a more granular designation. It applies only to that one source on that one inputs monitor. A transforms stanza could be applied to many sources.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

martin_mueller · ‎02-22-2014

If the host is in the path you should extract it from there using host_regex. In principle that should allow Splunk to extract it once per file, not once per event. Didn't test if Splunk is that smart in this case, but usually it is 🙂

host_regex vs tranforms.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases