https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248562#M74221 <P>Did remove the underscore ( _ ) long ago, but did not help. I have changed a few things this morning and finally got it working now.</P> <OL> <LI>Changed the Regex</LI> <LI>Have to specify the transforms for all the different sourcetypes, add only a single stanza doesn't work. Tested it by adding single stanza (did not work) and then changed and added it for every sourcetype .</LI> </OL> <P>[hostextract]<BR /> REGEX = (ep\w*\d)<BR /> FORMAT = host::$1<BR /> DEST_KEY = MetaData:Host</P> <P>[sm-plat]<BR /> TRANSFORMS-hostextract=hostextract</P> <P>[sm-expt]<BR /> TRANSFORMS-hostextract=hostextract</P> <P>[sm-impt]<BR /> TRANSFORMS-hostextract=hostextract</P> <P>[sm-vend]<BR /> TRANSFORMS-hostextract=hostextract</P> <P>Thanks</P> Mon, 30 Jan 2017 18:38:35 GMT nmohammed 2017-01-30T18:38:35Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248557#M74216 <P>we're trying to set the host fields by extracting the name from the events, but it doesn't seem to work and would appreciate if someone can guide through - </P> <P>example events - </P> <PRE><CODE>2017-01-20 14:18:55,816 [31] ep7mmn001 ERROR SMS.Shared.ApiCommon.Attribute.smapiAuthorizeAttribute at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength) at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength) at System.Convert.FromBase64CharArray(Char[] inArray, Int32 offset, Int32 length) at Newtonsoft.Json.JsonTextReader.ParseString(Char quote) at Newtonsoft.Json.JsonTextReader.ParseValue() 2017-01-20 14:18:55,816 [31] ep8mmn002 ERROR SMS.Shared.ApiCommon.Attribute.smApiAuthorizeAttribute Invalid length for a Base-64 char array or string. 2017-01-20 14:18:55,816 [31] ep8mmn006 ERROR SMS.Shared.ApiCommon.Attribute.smApiAuthorizeAttribute Invalid length for a Base-64 char array or string. </CODE></PRE> <P>props.conf </P> <PRE><CODE>[sm-plat] TRANSFORMS-hostextract=hostextract [sm-expt] TRANSFORMS-hostextract=hostextract [sm-impt] TRANSFORMS-hostextract=hostextract [sm-vend] TRANSFORMS-hostextract=hostextract </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[hostextract] REGEX = ^[^\]\n]*\]\s+(\w+) FORMAT = host::$1 DEST_KEY = _MetaData:Host </CODE></PRE> <P>Thanks</P> Fri, 20 Jan 2017 23:02:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248557#M74216 nmohammed 2017-01-20T23:02:48Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248558#M74217 <P>Hi nmohammed,</P> <P>Since you are just using one transform stanza, I think you can just use one stanza to reference it in props.conf: </P> <PRE><CODE> [sm] TRANSFORMS-hostextract=hostextract </CODE></PRE> <P>Also, the REGEX does not seem quite right and I'm not sure which hostnames it tries to capture from the events. You may need to finetune the REGEX to make sure it extracts hostnames correctly. </P> <P>Hope it helps. Thanks!<BR /> Hunter</P> Sat, 21 Jan 2017 01:10:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248558#M74217 hunters_splunk 2017-01-21T01:10:01Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248559#M74218 <P>First of all, your regex is OK - I saw that on my own, but regex101.com confirmed it as well. So the problem is in either your stanza in <CODE>transforms.conf</CODE> - but it seems OK to me again - or in your referencing the transform from <CODE>props.conf</CODE>. Do your events end up in one of those sourcetypes (sm-plat, sm-expt, sm-impt, sm-vend) and how do you specify their sourcetype?</P> Sat, 21 Jan 2017 02:06:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248559#M74218 arkadyz1 2017-01-21T02:06:34Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248560#M74219 <P>Thanks. I tried hunters approach and referenced only one stanza ,but still doesn't work.</P> <P>[sm]<BR /> TRANSFORMS-hostextract=hostextract</P> <P>arkadzy1 -</P> <P>we are assigning sourcetypes based on the respective sources -</P> <P>inputs.conf</P> <P>[monitor:\\share\sm\sm-expt]<BR /> disabled = false<BR /> whitelist = .txt$|.log$<BR /> index = sm<BR /> sourcetype = sm-expt</P> <P>[monitor:\\share\sm\sm-impt]<BR /> disabled = false<BR /> whitelist = .txt$|.log$<BR /> index = sm<BR /> sourcetype = sm-impt</P> <P>[monitor:\\share\sm\sm-plat]<BR /> disabled = false<BR /> whitelist = .txt$|.log$<BR /> index = sm<BR /> sourcetype = sm-plat</P> <P>[monitor:\\share\sm\sm-vend]<BR /> disabled = false<BR /> whitelist = .txt$|.log$<BR /> index = sm<BR /> sourcetype = sm-vend</P> <P>Not really sure , where we're going wrong. The regex looks fine when tested and the logs are using log4net type of logging format. we have just assigned different sourcetypes for ease in identifying different applications. </P> Mon, 23 Jan 2017 22:07:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248560#M74219 nmohammed 2017-01-23T22:07:18Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248561#M74220 <P>One of the things I just realized: in <CODE>transforms.conf</CODE>, you have an underscore ( <CODE>_</CODE>) before <CODE>MetaData</CODE>, which, I believe, should not be there. Try <CODE>DEST_KEY = MetaData:Host</CODE> and see.</P> Fri, 27 Jan 2017 16:30:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248561#M74220 arkadyz1 2017-01-27T16:30:16Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248562#M74221 <P>Did remove the underscore ( _ ) long ago, but did not help. I have changed a few things this morning and finally got it working now.</P> <OL> <LI>Changed the Regex</LI> <LI>Have to specify the transforms for all the different sourcetypes, add only a single stanza doesn't work. Tested it by adding single stanza (did not work) and then changed and added it for every sourcetype .</LI> </OL> <P>[hostextract]<BR /> REGEX = (ep\w*\d)<BR /> FORMAT = host::$1<BR /> DEST_KEY = MetaData:Host</P> <P>[sm-plat]<BR /> TRANSFORMS-hostextract=hostextract</P> <P>[sm-expt]<BR /> TRANSFORMS-hostextract=hostextract</P> <P>[sm-impt]<BR /> TRANSFORMS-hostextract=hostextract</P> <P>[sm-vend]<BR /> TRANSFORMS-hostextract=hostextract</P> <P>Thanks</P> Mon, 30 Jan 2017 18:38:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-setting-the-host-field-during-index-time/m-p/248562#M74221 nmohammed 2017-01-30T18:38:35Z