https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340415#M159642 <P>Hi,</P> <P>I'm trying to replace the host value using a field in the data. I tried to find any previous similar solution but it's not working. </P> <P>A sample of the data is here:</P> <P>'##REC##;WWWDBDW;3221912927;wwwdbdw1;<STRONG>x52wwwdb01.domain.com</STRONG>;11.2.0.4.0;Linux x86 64-bit;00008481;25-Aug-16 12:00:01;25.40;0.00;0.00;0.00;964278.51;0.00;2.55;4.06;1.59'</P> <P>props.conf<BR /> [www_general_stats]<BR /> TRANSFORMS-host = www_host</P> <P>transforms.conf<BR /> [www_host]<BR /> SOURCE_KEY = _raw<BR /> DEST_KEY = Metadata::Host<BR /> FORMAT = host::$1<BR /> REGEX = ^(?:[^;\n]*;){4}(?P[^;]+)</P> <P>Can anyone help me here, please?</P> Tue, 29 Sep 2020 15:07:49 GMT tamakg 2020-09-29T15:07:49Z https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340415#M159642 <P>Hi,</P> <P>I'm trying to replace the host value using a field in the data. I tried to find any previous similar solution but it's not working. </P> <P>A sample of the data is here:</P> <P>'##REC##;WWWDBDW;3221912927;wwwdbdw1;<STRONG>x52wwwdb01.domain.com</STRONG>;11.2.0.4.0;Linux x86 64-bit;00008481;25-Aug-16 12:00:01;25.40;0.00;0.00;0.00;964278.51;0.00;2.55;4.06;1.59'</P> <P>props.conf<BR /> [www_general_stats]<BR /> TRANSFORMS-host = www_host</P> <P>transforms.conf<BR /> [www_host]<BR /> SOURCE_KEY = _raw<BR /> DEST_KEY = Metadata::Host<BR /> FORMAT = host::$1<BR /> REGEX = ^(?:[^;\n]*;){4}(?P[^;]+)</P> <P>Can anyone help me here, please?</P> Tue, 29 Sep 2020 15:07:49 GMT https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340415#M159642 tamakg 2020-09-29T15:07:49Z https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340416#M159643 <P>You don't need the <CODE>?P</CODE> part in your regex.</P> <P>Use this instead: <CODE>REGEX = ^(?:[^;\n]*;){4}([^;]+)</CODE></P> Tue, 01 Aug 2017 19:49:57 GMT https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340416#M159643 rjthibod 2017-08-01T19:49:57Z https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340417#M159644 <P>I don't know what is "not working" (could be that it isn't finding the host properly and thus assigning something else in the field, or not assigning the host at all - you didn't really specify that). I do see two problems, one which was answered by <STRONG>rjthibod</STRONG> already and the other is the DEST_KEY. One colon instead of two:</P> <PRE><CODE>DEST_KEY = MetaData:Host </CODE></PRE> Tue, 01 Aug 2017 22:15:57 GMT https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340417#M159644 cpetterborg 2017-08-01T22:15:57Z https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340418#M159645 <P>The issue seems to be the upper case D of MetaData. Worked fine!</P> <P>Thank you!</P> Tue, 01 Aug 2017 22:27:27 GMT https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340418#M159645 tamakg 2017-08-01T22:27:27Z https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340419#M159646 <P>AND the single colon...</P> Tue, 01 Aug 2017 22:31:12 GMT https://community.splunk.com/t5/Splunk-Search/How-replace-host-using-a-field/m-p/340419#M159646 tamakg 2017-08-01T22:31:12Z