https://community.splunk.com/t5/Getting-Data-In/How-do-you-assign-host-value-for-ActiveDirectory-source/m-p/62977#M12641 <P>I have the 4.2 universal forwarder installed on an Active Directory DC, but have been unable to assign the fqdn as the host value for ActiveDirectory (splunk-admon) events. Setting host=fqdn in inputs.conf sets the correct host value for WinEventLog and WMI events, but not for ActiveDirectory. Tried setting host=fdqn in admon.conf but did not have any effect. Also tried the following transform but still had no effect...</P> <P>$splunkhome/etc/system/local/props.conf </P> <PRE><CODE>[ActiveDirectory] TRANSFORMS-rowandc = rowandc-host </CODE></PRE> <P>$splunkhome/etc/system/local/transforms.conf </P> <PRE><CODE>[rowandc-host] DEST_KEY = MetaData:Host REGEX = dcName=(\w*\.rowanads\.rowan\.edu) FORMAT = host::$1 </CODE></PRE> <P>Sample data...</P> <PRE><CODE>03/18/2011 11:25:50.073 dcName=ads4.rowanads.rowan.edu admonEventType=Deleted objectGuid=removed distinguishedName=removed host=ADS4 sourcetype=ActiveDirectory source=ActiveDirectory </CODE></PRE> Fri, 18 Mar 2011 23:11:04 GMT Jason_1 2011-03-18T23:11:04Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-assign-host-value-for-ActiveDirectory-source/m-p/62977#M12641 <P>I have the 4.2 universal forwarder installed on an Active Directory DC, but have been unable to assign the fqdn as the host value for ActiveDirectory (splunk-admon) events. Setting host=fqdn in inputs.conf sets the correct host value for WinEventLog and WMI events, but not for ActiveDirectory. Tried setting host=fdqn in admon.conf but did not have any effect. Also tried the following transform but still had no effect...</P> <P>$splunkhome/etc/system/local/props.conf </P> <PRE><CODE>[ActiveDirectory] TRANSFORMS-rowandc = rowandc-host </CODE></PRE> <P>$splunkhome/etc/system/local/transforms.conf </P> <PRE><CODE>[rowandc-host] DEST_KEY = MetaData:Host REGEX = dcName=(\w*\.rowanads\.rowan\.edu) FORMAT = host::$1 </CODE></PRE> <P>Sample data...</P> <PRE><CODE>03/18/2011 11:25:50.073 dcName=ads4.rowanads.rowan.edu admonEventType=Deleted objectGuid=removed distinguishedName=removed host=ADS4 sourcetype=ActiveDirectory source=ActiveDirectory </CODE></PRE> Fri, 18 Mar 2011 23:11:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-assign-host-value-for-ActiveDirectory-source/m-p/62977#M12641 Jason_1 2011-03-18T23:11:04Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-assign-host-value-for-ActiveDirectory-source/m-p/62978#M12642 <P>That should work but you will need to restart every Indexer first (which you probably did not do). I would also use something like this instead of what you are using:</P> <PRE><CODE>REGEX = dcName=(.*)[\r\n] </CODE></PRE> Wed, 03 Jun 2015 17:10:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-assign-host-value-for-ActiveDirectory-source/m-p/62978#M12642 woodcock 2015-06-03T17:10:34Z