- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to convert computer name to host name?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
We have environment where
windows events are forwarded => windows Event Collector
Windows Event Collector => Splunk indexer
Spunk forwarder has been installed only on Collector server.
In Splunk host name for all windows events is windows event Collector.
How do we make hostname = computer-name
is there a way to do this?
Thank you in advance.
.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what we use with the Windows Event Collection service. We put the WEC server hostname into a field called forwarder (so we know which collector sent the data) and then set the host field according to the ComputerName value in the Windows event.
In props.conf:
[(?:::){0}WinEventLog:...]
TRANSFORMS-FixWinEventLogHost = WinEventLog-SetForwarderName,WinEventLog-SetOriginatingHost
In transforms.conf:
[WinEventLog-SetForwarderName]
REGEX = ^host::(.*)$
SOURCE_KEY = MetaData:Host
FORMAT = forwarder::$1
WRITE_META = true
[WinEventLog-SetOriginatingHost]
REGEX = (?m)^ComputerName=([^\.\v]++)
FORMAT = host::$1
DEST_KEY = MetaData:Host
We run universal forwarders on the WEC servers and deploy this configuration on our indexers. If you run a heavy forwarder on your WEC server, you should deploy these changes there instead. If you don't want to capture the forwarder name in a field, just omit the WinEventLog-SetForwarderName portion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you All for your reply
All our windows logs are coming from windows collector so when we do the searching e.g. license usage by host all we get is collector's name and amount used.
for other searches we have to have two searches e.g. for windows computers with "computername = " and for nix with "host= "
we don't want users need to remember this type differences.
I will try the example above and come back to you,
Also Jeremiah (sorry for my lack of regex understanding)
Why do we use [(?:::){0}WinEventLog:...] ? what is the advantage over using tags like over [host::]?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what we use with the Windows Event Collection service. We put the WEC server hostname into a field called forwarder (so we know which collector sent the data) and then set the host field according to the ComputerName value in the Windows event.
In props.conf:
[(?:::){0}WinEventLog:...]
TRANSFORMS-FixWinEventLogHost = WinEventLog-SetForwarderName,WinEventLog-SetOriginatingHost
In transforms.conf:
[WinEventLog-SetForwarderName]
REGEX = ^host::(.*)$
SOURCE_KEY = MetaData:Host
FORMAT = forwarder::$1
WRITE_META = true
[WinEventLog-SetOriginatingHost]
REGEX = (?m)^ComputerName=([^\.\v]++)
FORMAT = host::$1
DEST_KEY = MetaData:Host
We run universal forwarders on the WEC servers and deploy this configuration on our indexers. If you run a heavy forwarder on your WEC server, you should deploy these changes there instead. If you don't want to capture the forwarder name in a field, just omit the WinEventLog-SetForwarderName portion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Jeremiah
This did exactly what we wanted to do.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Option A) Search time extraction:
your search here
| eval host = Computer-Name
Option B) Iindex time:
props.conf
[host::<host>]
TRANSFORMS-renameHost = rename_host_from_Computer-Name
transforms.conf:
[rename_host_from_Computer-Name]
REGEX = [regex that captures your Computer-Name]
DEST_KEY = MetaData:Host
FORMAT = host::$1
More info here: http://docs.splunk.com/Documentation/Splunk/latest/Data/Overridedefaulthostassignments
Option C) Use a host tag:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Tagthehostfield
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you provide a bit more detail with examples of what your data looks like currently and how you would like it to look?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide an Event example?
Mostly you can do it with this setting in your inputs.conf:
host_regex = [regular expression]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, host_regex only applies to the source path not arbitrary log contents.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you are right. I think the Answer from @javiergn is the best one for this case
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
