topic Re: help with host override in Getting Data In

help with host override

ilhwan — Fri, 23 Jan 2026 18:30:04 GMT

I'm trying to rewrite the host field on events that are coming into a HEC on a HF. It's populating the hostname of the HF as host, and I'd really like to use what's in the event.

props.conf:

[source::ansible] TRANSFORMS-hostoverride = ansible_override

transforms.conf:

[ansible_override] DEST_KEY = MetaData:Host REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\" FORMAT = host::$1

Here's a sample raw event:

{"@timestamp": "2026-01-23T18:09:35.832Z", "message": "Request appeared to be a trusted upstream proxy but failed to provide a matching shared secret.", "host": "uiitaap31.xxx.com", "level": "WARNING", "logger_name": "awx.api.generics", "stack_info": null, "guid": "c1daaaf92a4f403bb5739802f5d33d93", "cluster_host_id": "uiitaap31.xxx.com", "tower_uuid": null}

This is what I'm getting:

Instead of replacing the host, it's appending. What am I doing wrong?

Re: help with host override

livehybrid — Fri, 23 Jan 2026 19:42:13 GMT

Hi @ilhwan

I noticed back in 2022 you posted similar to this around some sourcetypes and changing the host so I just wanted to check - is there any chance there could be a conflict between these props/transforms and previous ones deployed?

Are you able to check the other props.conf configs for this same sourcetype to ensure no other transforms are being applied? As far as I can tell the way you are doing it should overwrite the existing host value which makes me wonder if something else is appending it somewhere.

Are you also able to confirm that there are no other search-time extractions occurring?

If you run the search in fast mode do you get the same host values (2 values per event) ?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: help with host override

ilhwan — Fri, 23 Jan 2026 20:11:33 GMT

Wow. I'd forgotten about the question in 2022. That was a completely different source that comes in via a TA, and I'm assuming it wouldn't interact.

Searching in fast mode still shows both hosts in the metadata host field. I did a search for "ansible" in the field extractions screen and found nothing. Is there an easy way to tell if I'm doing unintended search-time extractions?

This is what I see for props and transforms when I restrict it to the app:

[splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool props list --app=launcher --debug /opt/splunk/etc/apps/launcher/local/props.conf [source::ansible] /opt/splunk/etc/apps/launcher/local/props.conf TRANSFORMS-host_override = ansible_override [splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool transforms list --app=launcher --debug /opt/splunk/etc/apps/launcher/local/transforms.conf [ansible_override] /opt/splunk/etc/apps/launcher/local/transforms.conf DEST_KEY = MetaData:Host /opt/splunk/etc/apps/launcher/local/transforms.conf FORMAT = host::$1 /opt/splunk/etc/apps/launcher/local/transforms.conf REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\" [splunk@UPSPLHF01 ~]$

If I do not restrict it to the launcher app, it returns too much for me to post.

Re: help with host override

ilhwan — Fri, 23 Jan 2026 21:35:34 GMT

Okay. I think I managed to cut out just the relevant stanzas from the big btool outputs

props.conf:

/opt/splunk/etc/apps/launcher/local/props.conf [source::ansible] /opt/splunk/etc/system/default/props.conf ADD_EXTRA_TIME_FIELDS = True /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8 /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml /opt/splunk/etc/system/default/props.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/props.conf DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false /opt/splunk/etc/system/default/props.conf HEADER_MODE = /opt/splunk/etc/system/default/props.conf LB_CHUNK_BREAKER_TRUNCATE = 2000000 /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100 /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000 /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600 /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800 /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256 /opt/splunk/etc/system/default/props.conf MAX_EXPECTED_EVENT_LINES = 7 /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128 /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard /opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True /opt/splunk/etc/system/default/props.conf TRANSFORMS = /opt/splunk/etc/apps/dw-hf_settings/default/props.conf TRANSFORMS-hf_name = hf_name /opt/splunk/etc/apps/launcher/local/props.conf TRANSFORMS-host_override = ansible_override /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000 /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false /opt/splunk/etc/system/default/props.conf maxDist = 100 /opt/splunk/etc/system/default/props.conf priority = /opt/splunk/etc/system/default/props.conf sourcetype = /opt/splunk/etc/system/default/props.conf termFrequencyWeightedDist = false /opt/splunk/etc/system/default/props.conf unarchive_cmd_start_mode = shell

transforms.conf:

/opt/splunk/etc/apps/launcher/local/transforms.conf [ansible_override] /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE = /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/apps/launcher/local/transforms.conf DEST_KEY = MetaData:Host /opt/splunk/etc/apps/launcher/local/transforms.conf FORMAT = host::$1 /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096 /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/transforms.conf MV_ADD = False /opt/splunk/etc/apps/launcher/local/transforms.conf REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\" /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = _raw /opt/splunk/etc/system/default/transforms.conf WRITE_META = False

Re: help with host override

gcusello — Sat, 24 Jan 2026 06:40:02 GMT

Hi @ilhwan ,

a backslash is mised befor the s:

\"cluster_host_id\"\:\s\"([a-zA-Z.-_]+)\"

Ciao.

Giuseppe

Re: help with host override

PickleRick — Sat, 24 Jan 2026 08:52:52 GMT

Aren't you by any chance using indexed extractions?

Re: help with host override

ilhwan — Mon, 26 Jan 2026 17:19:44 GMT

Good catch! Thank you. Unfortunately, I'll need a day or two to actually test it out because the events come in so infrequently.

Re: help with host override

ilhwan — Fri, 30 Jan 2026 20:38:16 GMT

Okay, I finally got an event on that collector.

We're so close. It looks like I can search by hostname, and I can probably leave it this way.

Re: help with host override

gcusello — Tue, 17 Feb 2026 16:55:06 GMT

Hi @ilhwan ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉