https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363912#M66274 <P>I deployed the props.conf and transforms.conf to the indexer cluster and the host changed but it seems to just use $1 instead of the regex value.</P> Thu, 04 May 2017 19:41:52 GMT Kieffer87 2017-05-04T19:41:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363910#M66272 <P>I have a Linux server that ingests pre-cooked log files. Each line of the log file begins with the host that the log originated from. I have a universal forwarder on a Linux server watching for log files and I would like to rename the host field from the linux server to use the server in the event line.</P> <P>On the universal forwarder I added the following but host is still ldxx90vds19. What am I missing here? I'm in a distributed environment, tried adding the same to the search heads with no luck.</P> <P>inputs.conf</P> <PRE><CODE>[batch:///app1/vdsext/elk/stats/prod/pull/serverStats.*.csv.*] source = ldxx90vds19 sourcetype = vds:serverstats disabled = false index = vds move_policy = sinkhole initCrcLength = 1000 </CODE></PRE> <P>props.conf</P> <PRE><CODE>[vds:serverstats] TRANSFORMS-hostname = vdshostname </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[vdshostname] REGEX = ^[a-z]\w+ FORMAT = host::$1 DEST_KEY = MetaData:Host </CODE></PRE> <P>Sample log:</P> <PRE><CODE>ldxx90vds2,1493923501.828,0.685,0.652,97.793,0.802,0.0,0.067,0.050,0.060,0.030,11538391040.0,410136576.0,6964232192.0,6279286784.0,1276254.500,22937.400,0.0,39.300,0.0,1823129.600 </CODE></PRE> Thu, 04 May 2017 18:58:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363910#M66272 Kieffer87 2017-05-04T18:58:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363911#M66273 <P>The universal forwarder doesn't do parsing of data so your props.conf and transforms.conf entries are ineffective there. Those should be kept in next Full Splunk instance, either heavy forwarder or indexer, to which your UF is sending data. A restart of Splunk would be required.</P> Thu, 04 May 2017 19:22:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363911#M66273 somesoni2 2017-05-04T19:22:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363912#M66274 <P>I deployed the props.conf and transforms.conf to the indexer cluster and the host changed but it seems to just use $1 instead of the regex value.</P> Thu, 04 May 2017 19:41:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363912#M66274 Kieffer87 2017-05-04T19:41:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363913#M66275 <P>Change the <CODE>REGEX = ^[a-z]\w+</CODE> with <CODE>REGEX = ^([a-z]\w+)</CODE>. You need to enclose the value in brackets to be recognized as $1 (first enclosed value in regex)</P> Thu, 04 May 2017 19:48:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363913#M66275 somesoni2 2017-05-04T19:48:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363914#M66276 <P>That did the trick, thank you for your help.</P> Thu, 04 May 2017 20:36:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-rename-host-field-value-based-on-event-data/m-p/363914#M66276 Kieffer87 2017-05-04T20:36:50Z