We have a host where logs are aggregated already. I want to Splunk these logs. The source host for the logs is in the file path. I attempted the below props/transforms as a PoC, but no luck. Can anyone catch what I'm doing wrong?
[foobar] SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Host REGEX = ^/opt/splunk/v(ar) FORMAT = host::bogus$1
[monitor:///opt/splunk/var/log/splunk/splunkd.log] sourcetype = boguslog
Also, would this sort of transformation work on a UF or only a HF? I was originally doing this to test for myself, but I can't get it to work on my HF in the first place.
Fixed the transform, thanks to http://splunk-base.splunk.com/answers/24769/host-override.
The ^ in my regex was mucking things up. The MetaData:Source source begins with text "source::". Removing the ^ to permit the "source::" at the start of the value fixed it.
Still haven't gotten it to work on my UF though. Am I correct in understanding that this does not work on the UF?