Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Change host at index time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change host at index time
I have a mixture of Wintel and *nix hosts that send logs via the UF, the UF is deployed globally by third parties so access once deployed is limited and standards vary globally in terms of hostname. All hosts start is a letter thats about it.
The question I have is that reporting is being a challenge and I want all hosts to be consistent in terms of name convention, i.e. without any fqdn name.
For Wintel and 70% of *nix this is not a problem and host appears as the shortname. However for the other 30% the fqdn name is an issue.
I've looked but can't find the answer or a solution that works.
My theory is props/transforms config on the HF's that target the sourcetype of the hosts with the fqdn.
Can someone help me out please?
As this is global and not standardized there are multiple variations on fdqn.
Goal -
Index host as shortname
Variations on fqdn could be anything along the lines -
host.xxx.com
host.xxx.xx.xxx.corp
host.xxx.xxx.com
host.xxx.xxx.ie
I tried to work out a searchtime transform but couldn't get it to capture both shortname and fqdn names into one field. This would also be a valid option over the index time.
Regards
Rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would try something like this. It assumes that there are at least 2 dots in the. Restart Splunk after change. This would only be executed for all data coming from hosts that are following the pattern specified in props.conf.
props.conf on HF (one stanza for each last segment of fqdn
[host::*.*.com]
TRANSFORMS-fixhost = fqdn_to_short
[host::*.*.org]
TRANSFORMS-fixhost = fqdn_to_short
[host::*.*.corp]
TRANSFORMS-fixhost = fqdn_to_short
..other fqdns...
transforms.conf on HF
[fqdn_to_short]
SOURCE_KEY = MetaData:Host
REGEX = ^([A-z][^\.]+)
FORMAT = $1
DEST_KEY = MetaData:Host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The trivial method is going to look something like this...
props.conf1
[sourcetypewhatever]
TRANSFORMS-FIELDS = redirect-host
transforms.conf2
[redirect-host]
REGEX = ([^.]+)\..*
DEST_KEY = MetaData:Host
FORMAT = $1
That will pull everything before the first period. However, that will kill you in the occasional case where the host gets extracted as the ip address, so a more complicated regex may be needed.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
