Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are my props.conf and transforms.conf correct in setting metadata from TCP input?

ericmck2000
Explorer
‎01-31-2017 02:00 PM

So... I am attempting to setup a TCP input, which will automatically set metadata, from the event.

The _Raw looks like: {"time":"2017-01-31T15:51:56.9081571-06:00","index":"main","source":"ToolsTesting","host":"348SR52-OGS","Event":"Hello world"}

With the pretty version looking like:

{   [-] 
     Event:  Hello world    
     host:   348SR52-OGS    
     index:  main   
     source:     ToolsTesting   
     time:   2017-01-31T15:51:56.9081571-06:00  
}

So, the "Event" field contains the actual event, whether it be hello world, or a complex object, That piece is working....

But, I want to be able to set the source, host, index... etc, via fields located in my raw input.

So far, I have this....

Props:

[toolsjson]
INDEXED_EXTRACTIONS = json
KV_MODE = json
NO_BINARY_CHECK = true
category = Structured
description = Parse out messages
pulldown_type = 1
disabled = false
TRANSFORM-setsource=set_source_value

Transforms:

[set_source_value]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::$1

I guess the issue is.... I am not very familiar with how to properly use transforms to set the fields. I have looked over a few examples, and I am still slightly lost. Can somebody give me a bit of help?

As a bonus, I would like to strip the "metadata" out of my raw event, and only display the actual event.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ericmck2000
Explorer
‎02-01-2017 09:16 AM

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Assignmetadatatoeventsdynamically

I found the answer after spending a few hours using google.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ericmck2000
Explorer
‎02-01-2017 09:16 AM

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Assignmetadatatoeventsdynamically

I found the answer after spending a few hours using google.

0 Karma
Reply
Solved! Jump to solution

ericmck2000
Explorer
‎02-01-2017 11:56 AM

Write-up

I posted a full write-up of everything I did for anybody who finds this information useful.

http://xtremeownage.com/index.php?threads/sending-events-to-splunk-via-tcp-using-c.1648/#post-3083

Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...