topic Re: Overriding host values using the log data in Getting Data In

Overriding host values using the log data

pkeller — Sat, 21 Apr 2012 01:31:04 GMT

http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments

I've been trying to set up what should be a very simple regex to extract the hostname out of logs that are formatted like this:

Apr 20 10:10:10 host=hostname
Apr 20 10:10:11 host=hostname-b

After spending most of the day trying to do this, I decided to try doing what is listed in the Example section of the link mentioned at the top of this message. Using the exact same event data, the exact same props.conf and transforms.conf, my instance of Splunk running on my MacOS laptop is still setting the host field to my local hostname.

Thanks very much

Re: Overriding host values using the log data

Damien_Dallimor — Sat, 21 Apr 2012 03:35:21 GMT

Can you post your props.conf and transforms.conf stanzas and I will take a look at it for you.

Re: Overriding host values using the log data

pkeller — Sat, 21 Apr 2012 20:46:46 GMT

Thank you ...

props.conf:

[source::.../unix-cads-alerts]
TRANSFORMS-cads = cads
SHOULD_LINEMERGE = false

transforms.conf
[cads]
DEST_KEY = MetaData:Host
REGEX = ^[A-Z][a-z][a-z]\s+\d\d\s+\d\d:\d\d:\d\d\s+host=(\S+)\s+.*
FORMAT = host::$1

here's two lines of data from the file: unix-cads-alerts

Apr 19 16:15:21 host=ctx-sjc-p33 alert=[CLEAR] details=[cpu10]
Apr 19 16:22:10 host=tab-app-002-p alert=[CLEAR] details=[snmp]

Re: Overriding host values using the log data

Damien_Dallimor — Sun, 22 Apr 2012 02:34:04 GMT

Well your regex won't work because you haven't escaped the special characters :

REGEX = ^[A-Z][a-z][a-z]\s+\d\d\s+\d\d:\d\d:\d\d\s+host=(\S+)\s+.*

FYI , alternatively, you can probably get away with a simpler regex, try this in transforms.conf

REGEX = host=([a-zA-Z0-9\._-]+)