https://community.splunk.com/t5/Getting-Data-In/Unable-to-rewrite-host-meta-key-at-ingestion/m-p/531263#M89382 <LI-CODE lang="markup">Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 DC1ASM1.dc1.greendotcorp.com ASM:"MONEYPAK_WEBAPP","MONEYPAK_CLASS","Blocked","Attack signature detected","4523972057501654520","207.154.35.240","GET /Content/Images/img_logo01_module02.gif HTTP/1.1\r\nHost: www.moneypak.com\r\nUser-Agent: sam375/1.0[TF268435460801870024000000015076264944] UP.Browser/6.2.3.8 (GUI) MMP/2.0 Profile/MIDP-2.0 Configuration/CLDC-1.1\r\nAccept-Charset: iso-8859-1\r\nAccept-Language: en; q=0.9, es-ve; q=0.9\r\nx-wap-profile: ""http://uaprof1.caohosting.com/UAProfSamsung_R375_TF_V01.xml""\r\nReferer: ../../UseMoneyPak.aspx\r\nCookie: ASP.NET_SessionId=fygzml55xi4i5j45sqnduhy3; __RequestVerificationToken_Lw__=a3NVWCZIIdAJq9jOKEbhic39Vp03TnfuaVRd0mv7yBMYi88KbWiEO1uTpjKuQyybqfSC6JzuMPAA/EPxUpMeeI5hAxDRBepfwT7oeGSTy4xDp+vX7lqDSnJ4C2FI5J6yNRoasA==; TS9d98d7=9f0b4c041f7d935b1147a57259d88de374a21272ed77bfab505b5c7636af3f5e4cdb125288da4b2db1281d8f\r\nAccept: application/octet-stream, application/vnd.oma.drm.content, application/vnd.oma.drm.message, application/vnd.oma.drm.rights+wbxml, application/vnd.oma.drm.rights+xml, a</LI-CODE> Sun, 29 Nov 2020 16:51:52 GMT brent_weaver 2020-11-29T16:51:52Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-rewrite-host-meta-key-at-ingestion/m-p/531261#M89380 <P>I have a reg ex tested and working that will extract the host out of these events. My transforms is as follows:</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[hostextraction] REGEX = ^.*\d+\s(.*)ASM:.* FORMAT = host::$1 DEST_KEY = MetaData:Host</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>props:</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">[myst] DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIME_PREFIX = ^.{1,16}\b(?:\d{1,3}\.){3}\d{1,3}\b\s TRANSFORMS-whateva = hostextraction</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;This has no affect on the host metadata key. Any help is much appreciated. I am taking this directly from Splunk Documentation. &nbsp;I am getting this message in _internal</P><DIV class="shared-eventsviewer-shared-rawfield"><DIV class="raw-event normal wrap "><SPAN class="t">ERROR</SPAN> <SPAN class="t">regexExtractionProcessor</SPAN> <SPAN class="t">-</SPAN> <SPAN class="t">REGEX</SPAN> <SPAN class="t">field</SPAN> <SPAN class="t">must</SPAN> <SPAN class="t">be</SPAN> <SPAN class="t">specified</SPAN> <SPAN class="t">tranform_name=hostextraction</SPAN></DIV></DIV><DIV class="shared-eventsviewer-list-body-row-selectedfields">&nbsp;</DIV><DIV class="shared-eventsviewer-list-body-row-selectedfields">Any help is much appreciated!</DIV> Sun, 29 Nov 2020 14:49:03 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-rewrite-host-meta-key-at-ingestion/m-p/531261#M89380 brent_weaver 2020-11-29T14:49:03Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-rewrite-host-meta-key-at-ingestion/m-p/531262#M89381 Can you provide any sample data where you are trying extract host? Sun, 29 Nov 2020 15:53:31 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-rewrite-host-meta-key-at-ingestion/m-p/531262#M89381 isoutamo 2020-11-29T15:53:31Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-rewrite-host-meta-key-at-ingestion/m-p/531263#M89382 <LI-CODE lang="markup">Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 DC1ASM1.dc1.greendotcorp.com ASM:"MONEYPAK_WEBAPP","MONEYPAK_CLASS","Blocked","Attack signature detected","4523972057501654520","207.154.35.240","GET /Content/Images/img_logo01_module02.gif HTTP/1.1\r\nHost: www.moneypak.com\r\nUser-Agent: sam375/1.0[TF268435460801870024000000015076264944] UP.Browser/6.2.3.8 (GUI) MMP/2.0 Profile/MIDP-2.0 Configuration/CLDC-1.1\r\nAccept-Charset: iso-8859-1\r\nAccept-Language: en; q=0.9, es-ve; q=0.9\r\nx-wap-profile: ""http://uaprof1.caohosting.com/UAProfSamsung_R375_TF_V01.xml""\r\nReferer: ../../UseMoneyPak.aspx\r\nCookie: ASP.NET_SessionId=fygzml55xi4i5j45sqnduhy3; __RequestVerificationToken_Lw__=a3NVWCZIIdAJq9jOKEbhic39Vp03TnfuaVRd0mv7yBMYi88KbWiEO1uTpjKuQyybqfSC6JzuMPAA/EPxUpMeeI5hAxDRBepfwT7oeGSTy4xDp+vX7lqDSnJ4C2FI5J6yNRoasA==; TS9d98d7=9f0b4c041f7d935b1147a57259d88de374a21272ed77bfab505b5c7636af3f5e4cdb125288da4b2db1281d8f\r\nAccept: application/octet-stream, application/vnd.oma.drm.content, application/vnd.oma.drm.message, application/vnd.oma.drm.rights+wbxml, application/vnd.oma.drm.rights+xml, a</LI-CODE> Sun, 29 Nov 2020 16:51:52 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-rewrite-host-meta-key-at-ingestion/m-p/531263#M89382 brent_weaver 2020-11-29T16:51:52Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-rewrite-host-meta-key-at-ingestion/m-p/531264#M89383 <P>See above as I just posted a sample of data.</P> Sun, 29 Nov 2020 17:04:18 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-rewrite-host-meta-key-at-ingestion/m-p/531264#M89383 brent_weaver 2020-11-29T17:04:18Z