https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82286#M17014 <P>Fixed the transform, thanks to <A href="http://splunk-base.splunk.com/answers/24769/host-override">http://splunk-base.splunk.com/answers/24769/host-override</A>.</P> <P>The ^ in my regex was mucking things up. The MetaData:Source source begins with text "source::". Removing the ^ to permit the "source::" at the start of the value fixed it.</P> <P>Still haven't gotten it to work on my UF though. Am I correct in understanding that this does not work on the UF?</P> Tue, 02 Jul 2013 17:53:49 GMT BryanBerry 2013-07-02T17:53:49Z https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82285#M17013 <P>We have a host where logs are aggregated already. I want to Splunk these logs. The source host for the logs is in the file path. I attempted the below props/transforms as a PoC, but no luck. Can anyone catch what I'm doing wrong?</P> <P>transforms.conf:</P> <PRE><CODE>[foobar] SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Host REGEX = ^/opt/splunk/v(ar) FORMAT = host::bogus$1 </CODE></PRE> <P>props.conf:</P> <PRE><CODE>[boguslog] TRANSFORMS-foo=foobar </CODE></PRE> <P>inputs.conf:</P> <PRE><CODE>[monitor:///opt/splunk/var/log/splunk/splunkd.log] sourcetype = boguslog </CODE></PRE> <P>Also, would this sort of transformation work on a UF or only a HF? I was originally doing this to test for myself, but I can't get it to work on my HF in the first place.</P> Tue, 02 Jul 2013 17:45:11 GMT https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82285#M17013 BryanBerry 2013-07-02T17:45:11Z https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82286#M17014 <P>Fixed the transform, thanks to <A href="http://splunk-base.splunk.com/answers/24769/host-override">http://splunk-base.splunk.com/answers/24769/host-override</A>.</P> <P>The ^ in my regex was mucking things up. The MetaData:Source source begins with text "source::". Removing the ^ to permit the "source::" at the start of the value fixed it.</P> <P>Still haven't gotten it to work on my UF though. Am I correct in understanding that this does not work on the UF?</P> Tue, 02 Jul 2013 17:53:49 GMT https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82286#M17014 BryanBerry 2013-07-02T17:53:49Z https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82287#M17015 <P>Correct behavior, props and transforms are not processed by a UF .</P> Tue, 02 Jul 2013 19:21:25 GMT https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82287#M17015 JSapienza 2013-07-02T19:21:25Z https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82288#M17016 <P>Umm, aren't you making this a bit too difficult? Did you have a look at the <CODE>host_segment</CODE> configuration directive in <CODE>inputs.conf</CODE>?</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf</A></P> Tue, 02 Jul 2013 20:32:04 GMT https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82288#M17016 Ayn 2013-07-02T20:32:04Z https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82289#M17017 <P>You, sir, are kind of awesome. Using this with the UF actually shaves two weeks off my project by avoiding the heavy forwarder. Thank you!</P> Tue, 02 Jul 2013 21:09:16 GMT https://community.splunk.com/t5/Getting-Data-In/Change-hostname-transform/m-p/82289#M17017 BryanBerry 2013-07-02T21:09:16Z