Solved: Accessing metadata from the format option in trans...

peter_gianusso · ‎09-18-2012

Functionally, here's what I am looking to do.

I want to take the host (NJROS1BVA0597), append the source type (VM88 or VM11) identified in the props.conf and then re-write that to the host field.

So if the log is CAPPM_UPDATEDB.log, at the end of this, NJROS1BVA0597VM11 would be written to the host field.

My regex seems to be working In the format option, because the $0 gets me the original host name without a problem.
It's getting the source type to append to it, that is the problem.

My probably feeble attempt MetaData:Sourcetype does not work.

input.conf

[monitor://\\njros1bva0597\d$\LogFiles\W3SVC1\]
disabled = 0
host = NJROS1BVA0597
index=imaging
whitelist = \.log$

Props.conf

[source::...\\CAPPM*.log] 
sourcetype = VM11

[source::...\\ex*.log] 
sourcetype = VM88

[VM88]
TRANSFORMS-hostname = rewrite_host

Transforms.conf

[rewrite_host]
SOURCE_KEY = MetaData:Host
REGEX = .*
DEST_KEY = MetaData:Host
FORMAT = $0MetaData:Sourcetype

peter_gianusso · ‎11-08-2012

eper Splunk support, not possible

View solution in original post

peter_gianusso · ‎11-08-2012

eper Splunk support, not possible

Accessing metadata from the format option in transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation