Getting Data In

Host transforms not working

edwardrose
Contributor

Hello All,

I have the following props and transfroms

Props.conf

[host::splunk-sh1]
TRANSFORMS-vdisyslogs = set_host

Transforms.conf

[set_host]
REGEX = [ies|wv|inn].*.mentorg.com
DEST_KEY = MetaData:Host
FORMAT = host::$1

But the host value is set to $1 and not the ies|wv|inn.*.mentorg.com. It works when I run the following search:

index="remoteaccess" sourcetype="vdi:syslogs" 
| rex field=_raw "(?<host>[ies|wv|inn].*.mentorg.com)"

What do I have wrong and why is it wrong?

Thanks
ed

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

almost 😉

Set the capturing group to be ([ies|wv|inn].*.mentorg.com) to be used as $1

cheers, MuS

View solution in original post

koshyk
Super Champion

hi,

I could see two issues.

1) You regex may be too greedy sometimes (or incorrect). Please see regex sample on what all your regex will match https://regex101.com/r/xSWLH1/2 .

Better regex is : https://regex101.com/r/d5QXlN/2

2) Capture group is a MUST if you put FORMAT

 [set_host]
 REGEX = ([ies|wv|inn].*?\.mentorg\.com)
 DEST_KEY = MetaData:Host
 FORMAT = host::$1
0 Karma

MuS
SplunkTrust
SplunkTrust

almost 😉

Set the capturing group to be ([ies|wv|inn].*.mentorg.com) to be used as $1

cheers, MuS

View solution in original post

edwardrose
Contributor

@MuS

Your answer was correct and worked.

Thanks
ed

0 Karma

MuS
SplunkTrust
SplunkTrust

Thanks, converted to answer - feel free to accept it 🙂

cheers, MuS

0 Karma

ddrillic
Ultra Champion

@MuS - why my cheerful REGEX = ([ies|wv|inn]).*.mentorg.com is broken? ; -) after all we want just ies or wv or inn?

0 Karma

MuS
SplunkTrust
SplunkTrust

Your regex is technically correct, but the example shows "(?<host>[ies|wv|inn].*.mentorg.com)" as regex where it will capture either its,wv, or inn followed by anything followed by mentors.com. In other words it captures the FQDN not just the host.

Does that make sense?

ddrillic
Ultra Champion

Perfect @MuS ; -)

0 Karma

edwardrose
Contributor

@ddrillic

I was looking for the entire FQDN that would start with ies, wv or inn.

thanks
ed

0 Karma

ddrillic
Ultra Champion

Got it, great @edwardrose - good luck and keep us posted.

0 Karma

ddrillic
Ultra Champion

Please try - REGEX = ([ies|wv|inn]).*.mentorg.com for the capture group.

0 Karma

edwardrose
Contributor

Nope that did not work. The host field still shows up as $1

0 Karma

MuS
SplunkTrust
SplunkTrust
  • check for typos
  • did you restart Splunk after the change?
  • check $SPLUNK_HOME/bin/splunk btool props list --debug and $SPLUNK_HOME/bin/splunk btool transforms list --debug to see if your config is used
  • Make sure the host name in the props stanza matches the entire name, not just a substring (and it is case sensitive 😉 )
  • Should not be a show stopper, but in the regex use a \. to match a .

Beside that, out of ideas right now ¯\_(ツ)_/¯

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!