https://community.splunk.com/t5/Splunk-Search/Setting-host-from-a-field-within-a-data-input-file/m-p/84950#M21661 <P>Pretty sure the problem is in the REGEX attribute in the [snmp-trap-host] stanza. You defined the group as a non-capturing group, which means the $1 group in the FORMAT attribute will always be blank. Furthermore, even if you remove the "?:" from the regex statement, I still don't think the group will capture the entire IP address. I recommend updating your regex code and re-testing it using an online regex testing tool. I really like this site: <A href="http://www.myezapp.com/apps/dev/regexp/show.ws">http://www.myezapp.com/apps/dev/regexp/show.ws</A></P> Tue, 31 Jul 2012 17:46:23 GMT lbowser_splunk 2012-07-31T17:46:23Z https://community.splunk.com/t5/Splunk-Search/Setting-host-from-a-field-within-a-data-input-file/m-p/84948#M21659 <P>I have added this to $local/props.conf and $local/transforms.conf, respectively:</P> <PRE><CODE># props.conf # CUSTOM [snmp-trap] pulldown_type = true maxDist = 3 TIME_FORMAT = %b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 32 TRANSFORMS = snmp-trap-host REPORT-snmp-trap = snmp-trap-extractions SHOULD_LINEMERGE = False # transform.conf # CUSTOM [snmp-trap-host] DEST_KEY = MetaData:Host REGEX = (?:[0-9]{1,3}\.){3}[0-9]{1,3} FORMAT = host::$1 [snmp-trap-extractions] REGEX = ^(\d{4}-\d{2}-\d{2})\s(\d{2}:\d{2}:\d{2})\s([a-zA-Z]*) FORMAT = trap_oid::$3 </CODE></PRE> <P>And some sample output from the file I'm using as a data input is:</P> <PRE><CODE>2011-10-03 10:05:40 ciscoConfigManEvent Normal "Status Events" 10.219.49.51 - Notification of a configuration management event as commandLine running commandSource </CODE></PRE> <P>I've deleted the data input and re-added it, I've also restarted splunk.</P> <P>So from the example above, I'm trying to set the host to 10.219.49.51. Problem is that it doesn't seem to be using the host from the regex in props.conf to populate the host field when I realtime search for matches since the restart.</P> <P>Can anyone see anything that I've missed?</P> Mon, 03 Oct 2011 14:09:02 GMT https://community.splunk.com/t5/Splunk-Search/Setting-host-from-a-field-within-a-data-input-file/m-p/84948#M21659 jlixfeld 2011-10-03T14:09:02Z https://community.splunk.com/t5/Splunk-Search/Setting-host-from-a-field-within-a-data-input-file/m-p/84949#M21660 <P>I think the following line in your props:</P> <P>TRANSFORMS = snmp-trap-host</P> <P>should be something like this: TRANSFORMS-name. Try the one below:</P> <P>TRANSFORMS-trap_host = snmp-trap-host</P> Mon, 10 Oct 2011 22:09:03 GMT https://community.splunk.com/t5/Splunk-Search/Setting-host-from-a-field-within-a-data-input-file/m-p/84949#M21660 _d_ 2011-10-10T22:09:03Z https://community.splunk.com/t5/Splunk-Search/Setting-host-from-a-field-within-a-data-input-file/m-p/84950#M21661 <P>Pretty sure the problem is in the REGEX attribute in the [snmp-trap-host] stanza. You defined the group as a non-capturing group, which means the $1 group in the FORMAT attribute will always be blank. Furthermore, even if you remove the "?:" from the regex statement, I still don't think the group will capture the entire IP address. I recommend updating your regex code and re-testing it using an online regex testing tool. I really like this site: <A href="http://www.myezapp.com/apps/dev/regexp/show.ws">http://www.myezapp.com/apps/dev/regexp/show.ws</A></P> Tue, 31 Jul 2012 17:46:23 GMT https://community.splunk.com/t5/Splunk-Search/Setting-host-from-a-field-within-a-data-input-file/m-p/84950#M21661 lbowser_splunk 2012-07-31T17:46:23Z