https://community.splunk.com/t5/Getting-Data-In/Rewrite-hostname-don-t-work/m-p/92193#M19154 <P>I'll check asap<BR /> Grazie Paolo <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 18 Oct 2011 18:32:15 GMT bizza 2011-10-18T18:32:15Z https://community.splunk.com/t5/Getting-Data-In/Rewrite-hostname-don-t-work/m-p/92190#M19151 <P>Hi all,<BR /> I need to append the domain to all hosts that send data to my splunk indexer, to avoid duplications (hostname and hostname.domain are the same host)</P> <P>This is my transforms.conf</P> <P>[syslog_add_fqdn]<BR /> REGEX=host::([A-Za-z][-_A-Za-z0-9]*[A-Za-z0-9])$<BR /> FORMAT=host::$1.domain.local<BR /> WRITE_META=true<BR /> DEST_KEY=MetaData:Host<BR /> SOURCE_KEY=MetaData:Host</P> <P>and props.conf</P> <P>[linux_secure]<BR /> TRANSFORMS-zz_fix_host = syslog_add_fqdn</P> <P>[syslog]<BR /> TRANSFORMS-zz_fix_host = syslog_add_fqdn</P> <P>In $SPLUNK_HOME/var/log/splunk/splunkd.log I found this error:</P> <P>/opt/splunk/var/log/splunk/splunkd.log:10-14-2011 13:22:58.652 +0200 ERROR regexExtractionProcessor - DEST_KEY or WRITE_META=true must be specified tranform_name=syslog_add_fqdn</P> <P>What is wrong?<BR /> I tried to remove WRITE_META from my rules, change its position, but my indexer still log hostname on syslog souce type and hostname.domain on linux_secure source type (because on it my system log fqdn, the rule don't work).</P> <P>Any hints?</P> Mon, 28 Sep 2020 09:59:14 GMT https://community.splunk.com/t5/Getting-Data-In/Rewrite-hostname-don-t-work/m-p/92190#M19151 bizza 2020-09-28T09:59:14Z https://community.splunk.com/t5/Getting-Data-In/Rewrite-hostname-don-t-work/m-p/92191#M19152 <P>I would start troubleshooting the problem by removing the <CODE>host::</CODE> from the REGEX= line:<BR /> The <CODE>SOURCE_KEY=MetaData:Host</CODE> makes the REGEX operator work only on the <CODE>host</CODE> fied. </P> Fri, 14 Oct 2011 16:10:26 GMT https://community.splunk.com/t5/Getting-Data-In/Rewrite-hostname-don-t-work/m-p/92191#M19152 _d_ 2011-10-14T16:10:26Z https://community.splunk.com/t5/Getting-Data-In/Rewrite-hostname-don-t-work/m-p/92192#M19153 <P>You might have a conflict with the [syslog-host] rule in $SPLUNK_HOME/etc/system/default/transforms.conf, which is called by props.conf as:</P> <PRE><CODE>[syslog] .... TRANSFORMS = syslog-host </CODE></PRE> <P>Maybe your rule is evaluated first, but then its results are overwritten by the default one.<BR /> You could try to force an order as:</P> <PRE><CODE>[syslog] ... TRANSFORMS = TRANSFORMS-zz_fix_host = syslog-host, syslog_add_fqdn </CODE></PRE> <P>Have you inspected your runtime configurations with btool?</P> <P><EM>splunk btool --debug props list</EM></P> <P>Other than that, I recall the "-" when used in character classes should be either escaped or at the end of the class itself, otherwise it means a range.</P> <PRE><CODE>[syslog_add_fqdn] REGEX = host::([A-Za-z][\w\-]*[A-Za-z0-9])$ FORMAT = host::$1.domain.local DEST_KEY = MetaData:Host SOURCE_KEY = MetaData:Host </CODE></PRE> <P>The write_meta should not be necessary in this case.</P> Sat, 15 Oct 2011 11:07:34 GMT https://community.splunk.com/t5/Getting-Data-In/Rewrite-hostname-don-t-work/m-p/92192#M19153 Paolo_Prigione 2011-10-15T11:07:34Z https://community.splunk.com/t5/Getting-Data-In/Rewrite-hostname-don-t-work/m-p/92193#M19154 <P>I'll check asap<BR /> Grazie Paolo <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 18 Oct 2011 18:32:15 GMT https://community.splunk.com/t5/Getting-Data-In/Rewrite-hostname-don-t-work/m-p/92193#M19154 bizza 2011-10-18T18:32:15Z