Getting Data In

How can I change hostname in log files?

riqbal
Communicator

I am trying to change the host name. the name is from the log files.

Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:

the host name is always before ASM:

I tried to change it through transforms.conf but host name is not changing.below is my transforms.conf file
transforms.conf

[host_name]
SOURCE_KEY = _raw
REGEX = \s(\w+.\w+.\w+.\w+) ASM:$
FORMAT = host::$1
DEST_KEY =  MetaData:Host

props.conf

[f5xxx]
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
TIME_PREFIX = x0x.xx.x.xx
category = Custom
pulldown_type = true
TRANSFORMS-register = host_name

How can I change the hostname?
Secondly, if there is a problem in my regex, how can I identify that there is a problem? Any clue from log file?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Does your log event end with ASM:? If not, remove the dollar sign from the regex as that would stop the regex from matching.

Side note 1, to match literal dots use \. instead of . that matches any character.
Side note 2, you're constricting your host names to four levels / three dots - you probably want to match any non-space hostname by using \S+.
Side note 3, anchoring your regex on ASM: after your variable part is really bad for performance. After getting the hostname change to work, consider anchoring the regex at the beginning of the string, skipping over date-ip-date and then matching the next non-space part as the hostname.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Does your log event end with ASM:? If not, remove the dollar sign from the regex as that would stop the regex from matching.

Side note 1, to match literal dots use \. instead of . that matches any character.
Side note 2, you're constricting your host names to four levels / three dots - you probably want to match any non-space hostname by using \S+.
Side note 3, anchoring your regex on ASM: after your variable part is really bad for performance. After getting the hostname change to work, consider anchoring the regex at the beginning of the string, skipping over date-ip-date and then matching the next non-space part as the hostname.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

So... your hostname replacement is working now? All side notes don't contribute to correctness, tackle them after getting the hostname change to work as I've said in the side notes.

Your complete event says my initial guess was accurate, your event doesn't end with ASM:. Remove the dollar sign.

0 Karma

riqbal
Communicator

yet not successfull.

My regex is folowing:

\s(\S+) ASM:

ASM: is not a part of hostname.
hostname is "ac.dc1.buttercomom.com "
can you please write down the complete transforms.conf file includeing regex. I am missing something

0 Karma

493669
Super Champion

As per @martin_mueller comment can you try below:
transforms.conf

[host_name]
REGEX = ^.{44}(\S+)\sASM
FORMAT = host::$1
DEST_KEY = MetaData:Host

here I am escaping first 44 character(timestamp) and then matching for host name

serjandrosov
Path Finder

\w+\s+\d+\s+\d+:\d+:\d+\s+[^\s]+\s\w+\s+\d+\s+\d+:\d+:\d+\s+([^\s]+)

It looks not elegant but it takes only 26 steps and backward matching safe.
https://regex101.com/r/1xLXd0/2

0 Karma

riqbal
Communicator

Hi Martin,

I am stuck at side note 3:
my complete event is below:

Sep 20 11:13:18 1x.xx.xx.1xx0 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:"MONEYPAK_WEBAPP","MONEYPAK_CLASS","Blocked","Attack signature detected","xxxx4520",,"GET /Content/Images/ixx_logo01_module02.gif HTTP/1.1\r\nHost: www.xxxxk.com\r\nUser-Agent: sxx/1.0x6264944] UP.

Please advise.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...