Hello All,
I have the following props and transfroms
Props.conf
[host::splunk-sh1]
TRANSFORMS-vdisyslogs = set_host
Transforms.conf
[set_host]
REGEX = [ies|wv|inn].*.mentorg.com
DEST_KEY = MetaData:Host
FORMAT = host::$1
But the host value is set to $1 and not the ies|wv|inn.*.mentorg.com. It works when I run the following search:
index="remoteaccess" sourcetype="vdi:syslogs"
| rex field=_raw "(?<host>[ies|wv|inn].*.mentorg.com)"
What do I have wrong and why is it wrong?
Thanks
ed
almost 😉
Set the capturing group to be ([ies|wv|inn].*.mentorg.com)
to be used as $1
cheers, MuS
hi,
I could see two issues.
1) You regex may be too greedy sometimes (or incorrect). Please see regex sample on what all your regex will match https://regex101.com/r/xSWLH1/2 .
Better regex is : https://regex101.com/r/d5QXlN/2
2) Capture group is a MUST if you put FORMAT
[set_host]
REGEX = ([ies|wv|inn].*?\.mentorg\.com)
DEST_KEY = MetaData:Host
FORMAT = host::$1
almost 😉
Set the capturing group to be ([ies|wv|inn].*.mentorg.com)
to be used as $1
cheers, MuS
@MuS
Your answer was correct and worked.
Thanks
ed
Thanks, converted to answer - feel free to accept it 🙂
cheers, MuS
@MuS - why my cheerful REGEX = ([ies|wv|inn]).*.mentorg.com
is broken? ; -) after all we want just ies or wv or inn?
Your regex is technically correct, but the example shows "(?<host>[ies|wv|inn].*.mentorg.com)"
as regex where it will capture either its,wv, or inn followed by anything followed by mentors.com. In other words it captures the FQDN not just the host.
Does that make sense?
Perfect @MuS ; -)
@ddrillic
I was looking for the entire FQDN that would start with ies, wv or inn.
thanks
ed
Got it, great @edwardrose - good luck and keep us posted.
Please try - REGEX = ([ies|wv|inn]).*.mentorg.com
for the capture group.
Nope that did not work. The host field still shows up as $1
$SPLUNK_HOME/bin/splunk btool props list --debug
and $SPLUNK_HOME/bin/splunk btool transforms list --debug
to see if your config is used\.
to match a .
Beside that, out of ideas right now ¯\_(ツ)_/¯