Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Host transforms not working

edwardrose
Contributor
‎05-15-2019 11:24 AM

Hello All,

I have the following props and transfroms

Props.conf

[host::splunk-sh1]
TRANSFORMS-vdisyslogs = set_host

Transforms.conf

[set_host]
REGEX = [ies|wv|inn].*.mentorg.com
DEST_KEY = MetaData:Host
FORMAT = host::$1

But the host value is set to $1 and not the ies|wv|inn.*.mentorg.com. It works when I run the following search:

index="remoteaccess" sourcetype="vdi:syslogs" 
| rex field=_raw "(?<host>[ies|wv|inn].*.mentorg.com)"

What do I have wrong and why is it wrong?

Thanks
ed

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎05-15-2019 01:43 PM

almost 😉

Set the capturing group to be ([ies|wv|inn].*.mentorg.com) to be used as $1

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-15-2019 01:56 PM

hi,

I could see two issues.

1) You regex may be too greedy sometimes (or incorrect). Please see regex sample on what all your regex will match https://regex101.com/r/xSWLH1/2 .

Better regex is : https://regex101.com/r/d5QXlN/2

2) Capture group is a MUST if you put FORMAT

 [set_host]
 REGEX = ([ies|wv|inn].*?\.mentorg\.com)
 DEST_KEY = MetaData:Host
 FORMAT = host::$1
0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎05-15-2019 01:43 PM

almost 😉

Set the capturing group to be ([ies|wv|inn].*.mentorg.com) to be used as $1

cheers, MuS

Reply
Solved! Jump to solution

edwardrose
Contributor
‎05-15-2019 02:26 PM

@MuS

Your answer was correct and worked.

Thanks
ed

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-15-2019 03:00 PM

Thanks, converted to answer - feel free to accept it 🙂

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-15-2019 02:30 PM

@MuS - why my cheerful REGEX = ([ies|wv|inn]).*.mentorg.com is broken? ; -) after all we want just ies or wv or inn?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-15-2019 02:37 PM

Your regex is technically correct, but the example shows "(?<host>[ies|wv|inn].*.mentorg.com)" as regex where it will capture either its,wv, or inn followed by anything followed by mentors.com. In other words it captures the FQDN not just the host.

Does that make sense?

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-15-2019 02:41 PM

Perfect @MuS ; -)

0 Karma
Reply
Solved! Jump to solution

edwardrose
Contributor
‎05-15-2019 02:36 PM

@ddrillic

I was looking for the entire FQDN that would start with ies, wv or inn.

thanks
ed

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-15-2019 02:43 PM

Got it, great @edwardrose - good luck and keep us posted.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-15-2019 01:28 PM

Please try - REGEX = ([ies|wv|inn]).*.mentorg.com for the capture group.

0 Karma
Reply
Solved! Jump to solution

edwardrose
Contributor
‎05-15-2019 01:44 PM

Nope that did not work. The host field still shows up as $1

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-15-2019 02:00 PM
  • check for typos
  • did you restart Splunk after the change?
  • check $SPLUNK_HOME/bin/splunk btool props list --debug and $SPLUNK_HOME/bin/splunk btool transforms list --debug to see if your config is used
  • Make sure the host name in the props stanza matches the entire name, not just a substring (and it is case sensitive 😉 )
  • Should not be a show stopper, but in the regex use a \. to match a .

Beside that, out of ideas right now ¯\_(ツ)_/¯

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...