Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change hostname transform

BryanBerry
Path Finder
‎07-02-2013 10:45 AM

We have a host where logs are aggregated already. I want to Splunk these logs. The source host for the logs is in the file path. I attempted the below props/transforms as a PoC, but no luck. Can anyone catch what I'm doing wrong?

transforms.conf:

[foobar]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Host
REGEX = ^/opt/splunk/v(ar)
FORMAT = host::bogus$1

props.conf:

[boguslog]
TRANSFORMS-foo=foobar

inputs.conf:

[monitor:///opt/splunk/var/log/splunk/splunkd.log]
sourcetype = boguslog

Also, would this sort of transformation work on a UF or only a HF? I was originally doing this to test for myself, but I can't get it to work on my HF in the first place.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-02-2013 01:32 PM

Umm, aren't you making this a bit too difficult? Did you have a look at the host_segment configuration directive in inputs.conf?

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-02-2013 01:32 PM

Umm, aren't you making this a bit too difficult? Did you have a look at the host_segment configuration directive in inputs.conf?

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Reply
Solved! Jump to solution

BryanBerry
Path Finder
‎07-02-2013 02:09 PM

You, sir, are kind of awesome. Using this with the UF actually shaves two weeks off my project by avoiding the heavy forwarder. Thank you!

0 Karma
Reply
Solved! Jump to solution

JSapienza
Contributor
‎07-02-2013 12:21 PM

Correct behavior, props and transforms are not processed by a UF .

0 Karma
Reply
Solved! Jump to solution

BryanBerry
Path Finder
‎07-02-2013 10:53 AM

Fixed the transform, thanks to http://splunk-base.splunk.com/answers/24769/host-override.

The ^ in my regex was mucking things up. The MetaData:Source source begins with text "source::". Removing the ^ to permit the "source::" at the start of the value fixed it.

Still haven't gotten it to work on my UF though. Am I correct in understanding that this does not work on the UF?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...