Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Change host at index time

robwheeler
Engager
‎03-31-2017 09:29 AM

I have a mixture of Wintel and *nix hosts that send logs via the UF, the UF is deployed globally by third parties so access once deployed is limited and standards vary globally in terms of hostname. All hosts start is a letter thats about it.

The question I have is that reporting is being a challenge and I want all hosts to be consistent in terms of name convention, i.e. without any fqdn name.

For Wintel and 70% of *nix this is not a problem and host appears as the shortname. However for the other 30% the fqdn name is an issue.

I've looked but can't find the answer or a solution that works.

My theory is props/transforms config on the HF's that target the sourcetype of the hosts with the fqdn.

Can someone help me out please?

As this is global and not standardized there are multiple variations on fdqn.

Goal -

Index host as shortname

Variations on fqdn could be anything along the lines -

host.xxx.com
host.xxx.xx.xxx.corp
host.xxx.xxx.com
host.xxx.xxx.ie

I tried to work out a searchtime transform but couldn't get it to capture both shortname and fqdn names into one field. This would also be a valid option over the index time.

Regards

Rob

0 Karma
Reply

somesoni2
Revered Legend
‎03-31-2017 11:39 AM

I would try something like this. It assumes that there are at least 2 dots in the. Restart Splunk after change. This would only be executed for all data coming from hosts that are following the pattern specified in props.conf.

props.conf on HF (one stanza for each last segment of fqdn

[host::*.*.com]
TRANSFORMS-fixhost = fqdn_to_short
[host::*.*.org]
TRANSFORMS-fixhost = fqdn_to_short
[host::*.*.corp]
TRANSFORMS-fixhost = fqdn_to_short
..other fqdns...

transforms.conf on HF

[fqdn_to_short]
SOURCE_KEY = MetaData:Host
REGEX = ^([A-z][^\.]+)
FORMAT = $1
DEST_KEY = MetaData:Host
0 Karma
Reply

DalJeanis
Legend
‎03-31-2017 10:21 AM

The trivial method is going to look something like this...

props.conf1

[sourcetypewhatever]
TRANSFORMS-FIELDS = redirect-host

transforms.conf2

[redirect-host]
REGEX = ([^.]+)\..*
DEST_KEY = MetaData:Host
FORMAT = $1

That will pull everything before the first period. However, that will kill you in the occasional case where the host gets extracted as the ip address, so a more complicated regex may be needed.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...