Okay I am going to try this.
This is tranforms.conf right ?
On props.conf I have:
[generic-name]
TRANSFORMS-generic-name = extracting-from-host
TRANSFORMS-generic-name = extracted-gname
TRANSFORMS-generic-name = indexed-gname
And fields.conf is still:
[gname]
INDEXED = True
Oh, yes, the field is not on _raw, it is on host.
For example, I have those events:
5/6/15
3:40:17.000 PM
Script-name=SMTP-RELAY | Status = OK | Proc=Postfix is running | SMTP=Connection to SMTP port succeed
host = instancename3.generic-name.subdomain source = /opt/splunk/bin/scripts/smtp-relay.pl sourcetype = generic-name
5/6/15
3:40:06.000 PM
Script-name=SMTP-CHAIN| Status=KO | Description=Email not received from X instance
host = instancename2.generic-name.subdomain source = /opt/splunk/bin/scripts/smtp-chain.pl sourcetype = generic-name
Oh while pasting those events I have noticed that the host looks like instancename.generic-name.subdomain, there is not the domain.com anymore (if we are extracting from this field). So the regexp is a bit shorter:
[^\.]+\.(?<gname>[^\.]+)
And yes, the general idea would be that I have, like host and sourcetype, a field called gname on those events.
... View more