We have a host where logs are aggregated already. I want to Splunk these logs. The source host for the logs is in the file path. I attempted the below props/transforms as a PoC, but no luck. Can anyone catch what I'm doing wrong?
transforms.conf:
[foobar]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Host
REGEX = ^/opt/splunk/v(ar)
FORMAT = host::bogus$1
props.conf:
[boguslog]
TRANSFORMS-foo=foobar
inputs.conf:
[monitor:///opt/splunk/var/log/splunk/splunkd.log]
sourcetype = boguslog
Also, would this sort of transformation work on a UF or only a HF? I was originally doing this to test for myself, but I can't get it to work on my HF in the first place.
Umm, aren't you making this a bit too difficult? Did you have a look at the host_segment
configuration directive in inputs.conf
?
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
Umm, aren't you making this a bit too difficult? Did you have a look at the host_segment
configuration directive in inputs.conf
?
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
You, sir, are kind of awesome. Using this with the UF actually shaves two weeks off my project by avoiding the heavy forwarder. Thank you!
Correct behavior, props and transforms are not processed by a UF .
Fixed the transform, thanks to http://splunk-base.splunk.com/answers/24769/host-override.
The ^ in my regex was mucking things up. The MetaData:Source source begins with text "source::". Removing the ^ to permit the "source::" at the start of the value fixed it.
Still haven't gotten it to work on my UF though. Am I correct in understanding that this does not work on the UF?