https://community.splunk.com/t5/Getting-Data-In/Dynamic-Host-Field-Value-for-SNMP-Traps/m-p/70493#M14339 <P>Sure! On the indexer, set up props.conf / transforms.conf settings that extract the value you want for <CODE>host</CODE> and then write it to the <CODE>host</CODE> field:</P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] TRANSFORMS-snmphost = snmphost </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[snmphost] REGEX = ^NET-SNMP version [\d\.]+\s+\d{4}-\d{2}-\d[2} \d+:\d+:\d: (\S+) FORMAT = host::$1 DEST_KEY = MetaData:Host </CODE></PRE> <P>(make sure the regex matches correctly using something like Splunk's own <CODE>rex</CODE>/<CODE>regex</CODE> commands or external tools like <CODE>regexpal.net</CODE>) </P> <P>This is covered in the docs as well: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments#transforms.conf">http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments#transforms.conf</A></P> Tue, 25 Sep 2012 22:07:49 GMT Ayn 2012-09-25T22:07:49Z https://community.splunk.com/t5/Getting-Data-In/Dynamic-Host-Field-Value-for-SNMP-Traps/m-p/70492#M14338 <P>I have my traps set up to go to a log file in /var/log/snmp-traps. I want to be able to have the host field value reflect the actual host the trap originally came from. Is that possible? See trap below, host portion is bold.</P> <P>NET-SNMP version 5.4.2.1<BR /> 2012-09-25 17:41:17 <STRONG>testhost.host.net</STRONG> <A href="via%20UDP:%20%5B192.168.15.15%5D:51630-%3E%5B172.21.58.70%5D">192.168.15.15</A> TRAP, SNMP v1, community c@nT0uchth1S<BR /> CISCO-CONFIG-MAN-MIB::ciscoConfigManMIBNotificationPrefix Enterprise Specific Trap (CISCO-CONFIG-MAN-MIB::ciscoConfigManEvent) Uptime: 83 days, 15:48:11.04<BR /> CISCO-CONFIG-MAN-MIB::ccmHistoryEventCommandSource.1004 = INTEGER: commandLine(1) CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigSource.1004 = INTEGER: commandSource(2) CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigDestination.1004 = INTEGER: running(3)</P> Tue, 25 Sep 2012 17:58:03 GMT https://community.splunk.com/t5/Getting-Data-In/Dynamic-Host-Field-Value-for-SNMP-Traps/m-p/70492#M14338 jedatt01 2012-09-25T17:58:03Z https://community.splunk.com/t5/Getting-Data-In/Dynamic-Host-Field-Value-for-SNMP-Traps/m-p/70493#M14339 <P>Sure! On the indexer, set up props.conf / transforms.conf settings that extract the value you want for <CODE>host</CODE> and then write it to the <CODE>host</CODE> field:</P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] TRANSFORMS-snmphost = snmphost </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[snmphost] REGEX = ^NET-SNMP version [\d\.]+\s+\d{4}-\d{2}-\d[2} \d+:\d+:\d: (\S+) FORMAT = host::$1 DEST_KEY = MetaData:Host </CODE></PRE> <P>(make sure the regex matches correctly using something like Splunk's own <CODE>rex</CODE>/<CODE>regex</CODE> commands or external tools like <CODE>regexpal.net</CODE>) </P> <P>This is covered in the docs as well: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments#transforms.conf">http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments#transforms.conf</A></P> Tue, 25 Sep 2012 22:07:49 GMT https://community.splunk.com/t5/Getting-Data-In/Dynamic-Host-Field-Value-for-SNMP-Traps/m-p/70493#M14339 Ayn 2012-09-25T22:07:49Z https://community.splunk.com/t5/Getting-Data-In/Dynamic-Host-Field-Value-for-SNMP-Traps/m-p/70494#M14340 <P>Works perfectly! thanks</P> Tue, 02 Oct 2012 19:21:16 GMT https://community.splunk.com/t5/Getting-Data-In/Dynamic-Host-Field-Value-for-SNMP-Traps/m-p/70494#M14340 jedatt01 2012-10-02T19:21:16Z