<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Problems Setting Host Values Based On Event Data in Knowledge Management</title>
    <link>https://community.splunk.com/t5/Knowledge-Management/Problems-Setting-Host-Values-Based-On-Event-Data/m-p/51991#M7181</link>
    <description>&lt;P&gt;I think the caret (^) in the regex is the culprit. If I remember correctly, the line doesn't start there, the text is indented. Also, you may wish to state that it's a multiline event. Try the following regex;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;REGEX=(?m)Event\soriginator:\s([^\S]+)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Hope this helps,&lt;/P&gt;

&lt;P&gt;Kristian&lt;/P&gt;</description>
    <pubDate>Tue, 15 May 2012 15:16:01 GMT</pubDate>
    <dc:creator>kristian_kolb</dc:creator>
    <dc:date>2012-05-15T15:16:01Z</dc:date>
    <item>
      <title>Problems Setting Host Values Based On Event Data</title>
      <link>https://community.splunk.com/t5/Knowledge-Management/Problems-Setting-Host-Values-Based-On-Event-Data/m-p/51990#M7180</link>
      <description>&lt;P&gt;I have a v4.1.4 full forwarder setup to forward the Windows system and application event logs to a v4.1.4 indexer. At this point, events coming from both event logs have the hostname of the forwarder (sbkhpsim1) in the "host=" field. However, in the application event log only, I need to substitute the forwarder's hostname in the "host=" field to the name of a host within the event. Below are the inputs.conf, props.conf, and transforms.conf files from the forwarder. The REGEX to do the substitution works, so I don't think that's the issue. ANY help is appreciated.&lt;/P&gt;

&lt;P&gt;inputs.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;host = sbkhpsim1

[WinEventLog:System]
disabled = false

[WinEventLog:Application]
disabled = false
sourcetype = WindowsAppEventLog
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[WindowsAppEventLog]
TRANSFORMS-sim = GetEventOrigName
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[GetEventOrigName]
REGEX = ^Event\soriginator:\s(\w+\-?\w+)
DEST_KEY = MetaData:Host
FORMAT = host::$1
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Event Text&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;05/15/12 07:30:01 AM
LogName=Application
SourceName=HP Systems Insight Manager
EventCode=3
EventType=1
Type=Error
ComputerName=SBKHPSIM1
Category=0
CategoryString=none
RecordNumber=57175
Message=sbkesx14: (SNMP) Accelerator Board Status Change (3038): 
Event Name: (SNMP) Accelerator Board Status Change (3038)
URL: &lt;A href="http://sbkhpsim1.win.dowjones.net:280/mxportal/MxContextLaunch.jsp?systems=sbkesx14&amp;amp;tool=System%20Page" target="test_blank"&gt;http://sbkhpsim1.win.dowjones.net:280/mxportal/MxContextLaunch.jsp?systems=sbkesx14&amp;amp;tool=System%20Page&lt;/A&gt;
Event originator: sbkesx14
Event Severity: Critical
Event received: 15-May-2012, 07:28:51

Event description: Accelerator Board Status Change.  This trap signifies that the agent has detected a change in the status of an array accelerator cache board.  The current status is represented by the variable cpqDaAccelStatus.  User Action: If the accelerator board status is permDisabled(5), you may need to replace the accelerator board.

Location: Slot 6
Model: sa-p400
Serial Number: PA2270J9SW1878
Total Memory: 524288
Status: tmpDisabled
Error Code: lowBattery
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 15 May 2012 13:10:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Knowledge-Management/Problems-Setting-Host-Values-Based-On-Event-Data/m-p/51990#M7180</guid>
      <dc:creator>mallem</dc:creator>
      <dc:date>2012-05-15T13:10:42Z</dc:date>
    </item>
    <item>
      <title>Re: Problems Setting Host Values Based On Event Data</title>
      <link>https://community.splunk.com/t5/Knowledge-Management/Problems-Setting-Host-Values-Based-On-Event-Data/m-p/51991#M7181</link>
      <description>&lt;P&gt;I think the caret (^) in the regex is the culprit. If I remember correctly, the line doesn't start there, the text is indented. Also, you may wish to state that it's a multiline event. Try the following regex;&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;REGEX=(?m)Event\soriginator:\s([^\S]+)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Hope this helps,&lt;/P&gt;

&lt;P&gt;Kristian&lt;/P&gt;</description>
      <pubDate>Tue, 15 May 2012 15:16:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Knowledge-Management/Problems-Setting-Host-Values-Based-On-Event-Data/m-p/51991#M7181</guid>
      <dc:creator>kristian_kolb</dc:creator>
      <dc:date>2012-05-15T15:16:01Z</dc:date>
    </item>
    <item>
      <title>Re: Problems Setting Host Values Based On Event Data</title>
      <link>https://community.splunk.com/t5/Knowledge-Management/Problems-Setting-Host-Values-Based-On-Event-Data/m-p/51992#M7182</link>
      <description>&lt;P&gt;fixed typo. sorry. /k&lt;/P&gt;</description>
      <pubDate>Tue, 15 May 2012 15:17:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Knowledge-Management/Problems-Setting-Host-Values-Based-On-Event-Data/m-p/51992#M7182</guid>
      <dc:creator>kristian_kolb</dc:creator>
      <dc:date>2012-05-15T15:17:42Z</dc:date>
    </item>
  </channel>
</rss>

