https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40868#M9456 <P>Are the both arriving via the same source?</P> Tue, 20 Nov 2012 20:48:07 GMT Drainy 2012-11-20T20:48:07Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40863#M9451 <P>I have 2 hostnames, let's call them "temp" and "temp001". Splunk is capturing "temp001" and placing it in the proper index, but it seems to be ignoring "temp". I think it is because "temp" is found within "temp001". How do I keep them separate and correct?</P> <P>I am uploading images of my props and transforms because the punctuation isn't showing up properly.</P> <P><STRONG><EM>props.conf</EM></STRONG></P> <P><IMG src="http://splunk-base.splunk.com//storage/props_1.gif" alt="Props.conf" /></P> <P><STRONG><EM>transforms.conf</EM></STRONG></P> <P><IMG src="http://splunk-base.splunk.com//storage/transforms_2.gif" alt="transforms.conf" /></P> <P>Thanks!</P> Tue, 20 Nov 2012 19:24:13 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40863#M9451 aferone 2012-11-20T19:24:13Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40864#M9452 <P>This might not be a regex issue. Try renaming the second props stanza as the following:</P> <PRE><CODE>[host::temp001.domain1.domain2.com] TRANSFORMS-idx_routing2 = temp001_idx_routing </CODE></PRE> Tue, 20 Nov 2012 19:29:26 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40864#M9452 Rob 2012-11-20T19:29:26Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40865#M9453 <P>Thanks for the reply, but that didn't do anything. I have 20 other stanzas that all have "TRANSFORMS-idx_routing=". I did try it, but to no avail.</P> <P>Thanks again, though!</P> Tue, 20 Nov 2012 19:49:52 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40865#M9453 aferone 2012-11-20T19:49:52Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40866#M9454 <P>this might be a silly question but is it just a mistake where in props they are both .com and in transforms one is .gov?</P> Tue, 20 Nov 2012 20:40:35 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40866#M9454 Drainy 2012-11-20T20:40:35Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40867#M9455 <P>Thanks for noticing! </P> <P>No, that was a mistake in my editing for this post. They are both the same ending.</P> Tue, 20 Nov 2012 20:46:58 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40867#M9455 aferone 2012-11-20T20:46:58Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40868#M9456 <P>Are the both arriving via the same source?</P> Tue, 20 Nov 2012 20:48:07 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40868#M9456 Drainy 2012-11-20T20:48:07Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40869#M9457 <P>Yes. The whole reason I am doing these hosts this way is because it is coming from UDP:514, and these devices can't use an alternate port, which is how I normally direct my different sources to different indexes.</P> Tue, 20 Nov 2012 20:50:24 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40869#M9457 aferone 2012-11-20T20:50:24Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40870#M9458 <P>how about if you just create the one stanza to rule them all? Using a regex like temp\d+.domain1.domain2.com?</P> Tue, 20 Nov 2012 20:56:31 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40870#M9458 Drainy 2012-11-20T20:56:31Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40871#M9459 <P>I used a * and it didn't work. You're saying to use +?</P> Tue, 20 Nov 2012 20:57:20 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40871#M9459 aferone 2012-11-20T20:57:20Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40872#M9460 <P>Well this is a rex statement so you'll want to use something like \d+ which means match a number and the plus means keep consuming the characters until the number ends</P> Tue, 20 Nov 2012 20:59:04 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40872#M9460 Drainy 2012-11-20T20:59:04Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40873#M9461 <P>My RegEx is a little weak. So if my 2 hostnames were ndgracs.dom1.dom2.com and ndgracs01.dom1.dom2.com, how would the RegEx look?</P> Tue, 20 Nov 2012 21:03:57 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40873#M9461 aferone 2012-11-20T21:03:57Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40874#M9462 <P>ndgracs\d+\.dom1\.dom2\.com should do the job, although it would need testing <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I can't recall how exacting it is at index time, perhaps ndgracs(\d+\.|\.)dom1\.dom2\.com</P> Tue, 20 Nov 2012 21:08:57 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40874#M9462 Drainy 2012-11-20T21:08:57Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40875#M9463 <P>Well, I tried it, but I'm getting the same results. It finds ndgracs01 and puts it in the right index, but ndgracs goes to the default.</P> Tue, 20 Nov 2012 21:20:43 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40875#M9463 aferone 2012-11-20T21:20:43Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40876#M9464 <P>In props, I have both hosts stanzas going to the same stanza in transforms</P> Tue, 20 Nov 2012 21:21:09 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40876#M9464 aferone 2012-11-20T21:21:09Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40877#M9465 <P>In the case where there are no digits, you have to declare them as optional in your regex, maybe like this <CODE>ndgracs(\d+)?.dom1.dom2.com</CODE></P> Tue, 20 Nov 2012 21:56:57 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40877#M9465 sowings 2012-11-20T21:56:57Z https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40878#M9466 <P>Dang. Still no dice. It matches ndgracs01, but not ndgracs still.</P> Wed, 21 Nov 2012 15:13:07 GMT https://community.splunk.com/t5/Splunk-Search/Problems-with-props-conf-and-transforms-conf-and-similar/m-p/40878#M9466 aferone 2012-11-21T15:13:07Z