topic Help with Extracting host via transforms in Getting Data In

Help with Extracting host via transforms

danielbb — Thu, 07 Jul 2022 14:03:44 GMT

We have the following -

# /data/xxxx/<hostname>_syslog.log [datanow-syslog-host] SOURCE_KEY = source REGEX = \/data\/xxxx\/(.+)_syslog\.log DEST_KEY = MetaData:Host FORMAT = host::$1

Trying to extract the host name from the source without much luck.

Any ideas?

Re: Extracting host via transforms

gcusello — Wed, 06 Jul 2022 06:45:44 GMT

Hi @danielbb,

the stanza you shared is in transforms.conf, I suppose that you also created a related props.conf containing:

[your_sourcetype] TRANSFORMS-datanow-syslog-host = datanow-syslog-host

and I suppose that the sourcetype is correct: there isn't any additional sourcetype overriding.

Then, where do you located props.conf and transforms.conf?

they must be on your Indexers or (if present) on Heavy Forwarders, not on Universal Forwarders.

Ciao.

Giuseppe

Re: Extracting host via transforms

danielbb — Wed, 06 Jul 2022 19:44:07 GMT

Hi @gcusello

In props.conf I have configuration as you said -

[your_sourcetype] TRANSFORMS-datanow-syslog-host = datanow-syslog-host

And btool of props and transforms confirms that this part is ok.

Props and transforms are on the HF which is our syslog server as well.

Does this line look fine to you? the one I trust the least -

SOURCE_KEY = source

Is there any way to debug these cases? splunkd.log doesn't record much of it, right?

Re: Extracting host via transforms

gcusello — Thu, 07 Jul 2022 06:31:30 GMT

Hi @danielbb,

I suppose that you also restarted Splunk on the HF after update.

Anyway, teh configuration is correct, the only thing different than my usual use is the SOURCE_KEY = source, have you the value you are using also in the row events?.

Reading the documentation at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Transformsconf I see that the syntax to use is a little different, please try this:

SOURCE_KEY = MetaData:Source

SOURCE_KEY = field:source

Ciao.

Giuseppe