topic Re: How to create an interesting field by parsing host name in Splunk Search

How to create an interesting field by parsing host name

rileyken — Sun, 22 Apr 2018 14:58:07 GMT

my index has events from many hosts. The hosts names contain information about what environment the host is part of. I would like to extract this at index time and make it an interesting field.

my host names always follow this pattern: SRV-xxP01xxxxx
the environment in this host name is "P01", and environment is always the 7th, 8th and 9th character in the host name string.

How would I go about making the environment an interesting field for my non-power users?

thanks

Re: How to create an interesting field by parsing host name

adonio — Sun, 22 Apr 2018 15:04:44 GMT

try this:
... | rex field=host "SRV-\S{2}(?<Environment>\S{3})"
hope it helps

Re: How to create an interesting field by parsing host name

woodcock — Sun, 22 Apr 2018 16:04:10 GMT

Are you SURE that you need it at index-time? I will give you that answer but suspect that you would be better off by a search-time solution.
You you need this in #props.conf:

[(::){0}*]
TRANSFORMS-GLOBAL_environment_from_host = environment_from_host

Then you need this in #transforms.conf:

[environment_from_host]
SOURCE_KEY = MetaData:Host
REGEX = ^.{6}(?<environment>.{3})

If you can get by with a search-time solution, then change TRANSFORMS- to REPORT- in #props.conf and change SOURCE_KEY = MetaData:Host to SOURCE_KEY = host in #transforms.conf.

Re: How to create an interesting field by parsing host name

rileyken — Tue, 24 Apr 2018 09:00:16 GMT

The solution provided does not work. I did some digging and found this article, which was simalar

https://www.splunk.com/blog/2014/07/31/quick-tip-wildcard-sourcetypes-in-props-conf.html

maybe the issue is this bit: [(::){0}*]

Re: How to create an interesting field by parsing host name

dbarnesroomstog — Tue, 29 Sep 2020 19:12:50 GMT

The solution would be to apply a regex to extract the environment from the hostname. As a result the we i the props.conf you need to apply this to all host

props.conf
****************************************************************
[host::*]
TRANSFORMS-GLOBAL_environment_from_host = environment_from_host

In the transform.conf we need to specify source key for the regex as MetaData:Host , apply the regex and since this is a new field you have apply WRITE_META = true.

transform.conf
******************************************************************
[environment_from_host]
SOURCE_KEY = MetaData:Host
REGEX = "APPLY YOUR Regex HERE"
FORMAT = env::$1
WRITE_META = true

PLease be sure to apply your correct regex

Re: How to create an interesting field by parsing host name

woodcock — Tue, 24 Apr 2018 15:41:22 GMT

This solution works. Remember you said index-time so you need to deploy it to your Indexer tiers, restart splunk on each Indexer, and then check against events that were indexed AFTER the restart. Did you do all of that?

Re: How to create an interesting field by parsing host name

dbarnesroomstog — Tue, 24 Apr 2018 15:46:55 GMT

Thats what was done and the solution didnt work.