Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Host transforms not working

edwardrose
Contributor
‎05-15-2019 11:24 AM

Hello All,

I have the following props and transfroms

Props.conf

[host::splunk-sh1]
TRANSFORMS-vdisyslogs = set_host

Transforms.conf

[set_host]
REGEX = [ies|wv|inn].*.mentorg.com
DEST_KEY = MetaData:Host
FORMAT = host::$1

But the host value is set to $1 and not the ies|wv|inn.*.mentorg.com. It works when I run the following search:

index="remoteaccess" sourcetype="vdi:syslogs" 
| rex field=_raw "(?<host>[ies|wv|inn].*.mentorg.com)"

What do I have wrong and why is it wrong?

Thanks
ed

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎05-15-2019 01:43 PM

almost 😉

Set the capturing group to be ([ies|wv|inn].*.mentorg.com) to be used as $1

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-15-2019 01:56 PM

hi,

I could see two issues.

1) You regex may be too greedy sometimes (or incorrect). Please see regex sample on what all your regex will match https://regex101.com/r/xSWLH1/2 .

Better regex is : https://regex101.com/r/d5QXlN/2

2) Capture group is a MUST if you put FORMAT

 [set_host]
 REGEX = ([ies|wv|inn].*?\.mentorg\.com)
 DEST_KEY = MetaData:Host
 FORMAT = host::$1
0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎05-15-2019 01:43 PM

almost 😉

Set the capturing group to be ([ies|wv|inn].*.mentorg.com) to be used as $1

cheers, MuS

Reply
Solved! Jump to solution

edwardrose
Contributor
‎05-15-2019 02:26 PM

@MuS

Your answer was correct and worked.

Thanks
ed

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎05-15-2019 03:00 PM

Thanks, converted to answer - feel free to accept it 🙂

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-15-2019 02:30 PM

@MuS - why my cheerful REGEX = ([ies|wv|inn]).*.mentorg.com is broken? ; -) after all we want just ies or wv or inn?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎05-15-2019 02:37 PM

Your regex is technically correct, but the example shows "(?<host>[ies|wv|inn].*.mentorg.com)" as regex where it will capture either its,wv, or inn followed by anything followed by mentors.com. In other words it captures the FQDN not just the host.

Does that make sense?

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-15-2019 02:41 PM

Perfect @MuS ; -)

0 Karma
Reply
Solved! Jump to solution

edwardrose
Contributor
‎05-15-2019 02:36 PM

@ddrillic

I was looking for the entire FQDN that would start with ies, wv or inn.

thanks
ed

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-15-2019 02:43 PM

Got it, great @edwardrose - good luck and keep us posted.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎05-15-2019 01:28 PM

Please try - REGEX = ([ies|wv|inn]).*.mentorg.com for the capture group.

0 Karma
Reply
Solved! Jump to solution

edwardrose
Contributor
‎05-15-2019 01:44 PM

Nope that did not work. The host field still shows up as $1

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎05-15-2019 02:00 PM
  • check for typos
  • did you restart Splunk after the change?
  • check $SPLUNK_HOME/bin/splunk btool props list --debug and $SPLUNK_HOME/bin/splunk btool transforms list --debug to see if your config is used
  • Make sure the host name in the props stanza matches the entire name, not just a substring (and it is case sensitive 😉 )
  • Should not be a show stopper, but in the regex use a \. to match a .

Beside that, out of ideas right now ¯\_(ツ)_/¯

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...