Solved: Change host props and transforms not working

wvalente · ‎08-03-2020

Guys,

I need a help.

I've configured the props and transforms to change the host field from a lambda function I'm collecting the logs.

I can see the new host, but I not find anything when I search the new host with host=....

I done this configuration in heavy forwarder. This heavy forwarder concentrate the logs and sends it to a splunk cluster with two indexers and auto load balancing configuration.

The host that I'm trying to change is coming from a lambda function from guradduty.

props.conf

[aws:cloudwatch:guardduty]
TRANSFORMS-client = rename_host_guardduty
SHOULD_LINEMERGE = false

transforms.conf

[rename_host_guardduty]
DEST_KEY = MetaData:Host
REGEX = .*
FORMAT = guardduty

Any ideas?

Thank you.

willemjongeneel · ‎08-06-2020

Hello,

I think you should change format to:

FORMAT = host::guardduty

Kind regards,

Willem

View solution in original post

willemjongeneel · ‎08-06-2020

Hello,

I think you should change format to:

FORMAT = host::guardduty

Kind regards,

Willem

wvalente · ‎08-06-2020

Hi Willem.

I've done here and it's work very well.

Thank you so much.

wvalente · ‎08-06-2020

Hi Willem,

I'll try here.

Thank you.

Change host props and transforms not working

field extraction

heavy forwarder

props.conf

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Change host props and transforms not working

field extraction

heavy forwarder

props.conf

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!