Solved: Re: Host override not working.

gnagasri

Sample events - working in regex101 : https://regex101.com/r/LuC6ZQ/1

| rex field=_raw "nsssvcip\=(?<host>\d+\.\d+\.\d+\.\d+)" - working in Splunk UI search bar.

Transforms.conf

[aaa_sourcetype]
DEST_KEY = MetaData:Host
FORMAT = host::$1
REGEX = nsssvcip\=(\d+\.\d+\.\d+\.\d+)

Props.conf

TRANSFORMS-01-set_host = aaa_sourcetype

But when applied the above, it doesnt work for 1st sample event. Kindly suggest.

livehybrid

Hi @gnagasri

Your match is at position 5321 in the string however the default limit is 4096 regex lookahead, try setting the LOOKAHEAD value in your transform stanza to a higher value (eg 7000):

LOOKAHEAD = <integer>
* NOTE: This option is valid for all index time transforms, such as
  index-time field creation, or DEST_KEY modifications.
* Optional. Specifies how many characters to search into an event.
* Default: 4096
  * You may want to increase this value if you have event line lengths that
    exceed 4096 characters (before linebreaking).

For more info check out the transforms docs at https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.4/configuration-file-ref...

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

livehybrid

Hi @gnagasri

Your match is at position 5321 in the string however the default limit is 4096 regex lookahead, try setting the LOOKAHEAD value in your transform stanza to a higher value (eg 7000):

LOOKAHEAD = <integer>
* NOTE: This option is valid for all index time transforms, such as
  index-time field creation, or DEST_KEY modifications.
* Optional. Specifies how many characters to search into an event.
* Default: 4096
  * You may want to increase this value if you have event line lengths that
    exceed 4096 characters (before linebreaking).

For more info check out the transforms docs at https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.4/configuration-file-ref...

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

gnagasri

This worked. Thankyou.

isoutamo

You should try this.
There are lot of other limits like TRUNCATE etc which could also hit, especially in some other issues. I really suggest that you should read those spec files and additionally limits.conf is one useful

gcusello

Hi @gnagasri ,

where did you locate these conf files?

they must be located on the first Heavy Forwarder where data pass through or (if there isn't any Heavy Forwarder) on Indexers.

Ciao.

Giuseppe

Host override not working.

field extraction

host

props.conf

transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation