Hi all. I've got a 4.3 universal forwarder pointing to a 4.3 indexer, both on CentOS. The forwarder is monitoring a file where snmp traps are being dumped by snmpd. The events are being forwarded fine, but they are all showing as coming from the same host (the forwarder), so I'd like to override the host value with a value pulled from the trap data. Here's what I did:
This is all done on the forwarder, not the indexer.
All files were created in /opt/splunkforwarder/etc/system/local unless specified otherwise.
I created a transforms.conf that has this stanza (and only this stanza):
[h_o_transform]
DEST_KEY = MetaData:Host
REGEX = ZENOSS-MIB::evtDevice.?0? = STRING: "(\S+)"
FORMAT = host::$1
And then created a props.conf that has only this stanza:
[source::///var/log/snmptraps.log]
Transforms-hostoverride=h_o_transform
And just for completeness, I'll explain that what I want to do is, for all events in one particular file (/var/log/snmptraps.log), I want to pull out a string and use that string as the host name for that event.
Eventually there would be hundreds of forwarders pointing back at the indexer, so I felt that it would be better to put a small load on each forwarder rather than compound that load on the indexer and do the host override there.
The events are still coming in as before, all from one host. So I guess I have a few questions:
Can the host override be applied on the forwarder, or does it have to be applied on the indexer?
Is my regex correct? It tested out fine on several online regex testers I verified it with. The part of the event that I'm trying to strip is something like this:
ZENOSS-MIB::evtDevice.0 = STRING: "devicehostname.com",
With "devicehostname.com" being the hostname I'm trying to extract, obviously...
Are the config files in the proper place? I want to apply this globally on each forwarder, and, as I understand it, /opt/splunkforwarder/etc/system/local is the right place for that. But the docs that I got that info from weren't specifically referring to forwarders, so I thought I'd check...
Are my props.conf and transforms.conf written correctly? Again, I pulled this almost directly out of the docs, but they were talking about applying these on an indexer, so I'm not sure if different rules apply when dealing with a forwarder...
Thanks in advance for taking a look at this!
... View more