Solved: Re: How can I change hostname in log files?

riqbal · ‎08-12-2018

I am trying to change the host name. the name is from the log files.

Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:

the host name is always before ASM:

I tried to change it through transforms.conf but host name is not changing.below is my transforms.conf file
transforms.conf

[host_name]
SOURCE_KEY = _raw
REGEX = \s(\w+.\w+.\w+.\w+) ASM:$
FORMAT = host::$1
DEST_KEY =  MetaData:Host

props.conf

[f5xxx]
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
TIME_PREFIX = x0x.xx.x.xx
category = Custom
pulldown_type = true
TRANSFORMS-register = host_name

How can I change the hostname?
Secondly, if there is a problem in my regex, how can I identify that there is a problem? Any clue from log file?

martin_mueller · ‎08-12-2018

Does your log event end with ASM:? If not, remove the dollar sign from the regex as that would stop the regex from matching.

Side note 1, to match literal dots use \. instead of . that matches any character.
Side note 2, you're constricting your host names to four levels / three dots - you probably want to match any non-space hostname by using \S+.
Side note 3, anchoring your regex on ASM: after your variable part is really bad for performance. After getting the hostname change to work, consider anchoring the regex at the beginning of the string, skipping over date-ip-date and then matching the next non-space part as the hostname.

View solution in original post

martin_mueller · ‎08-12-2018

Does your log event end with ASM:? If not, remove the dollar sign from the regex as that would stop the regex from matching.

Side note 1, to match literal dots use \. instead of . that matches any character.
Side note 2, you're constricting your host names to four levels / three dots - you probably want to match any non-space hostname by using \S+.
Side note 3, anchoring your regex on ASM: after your variable part is really bad for performance. After getting the hostname change to work, consider anchoring the regex at the beginning of the string, skipping over date-ip-date and then matching the next non-space part as the hostname.

martin_mueller · ‎08-12-2018

So... your hostname replacement is working now? All side notes don't contribute to correctness, tackle them after getting the hostname change to work as I've said in the side notes.

Your complete event says my initial guess was accurate, your event doesn't end with ASM:. Remove the dollar sign.

riqbal · ‎08-12-2018

yet not successfull.

My regex is folowing:

\s(\S+) ASM:

ASM: is not a part of hostname.
hostname is "ac.dc1.buttercomom.com "
can you please write down the complete transforms.conf file includeing regex. I am missing something

493669 · ‎08-12-2018

As per @martin_mueller comment can you try below:
transforms.conf

[host_name]
REGEX = ^.{44}(\S+)\sASM
FORMAT = host::$1
DEST_KEY = MetaData:Host

here I am escaping first 44 character(timestamp) and then matching for host name

serjandrosov · ‎08-12-2018

\w+\s+\d+\s+\d+:\d+:\d+\s+[^\s]+\s\w+\s+\d+\s+\d+:\d+:\d+\s+([^\s]+)

It looks not elegant but it takes only 26 steps and backward matching safe.
https://regex101.com/r/1xLXd0/2

riqbal · ‎08-12-2018

Hi Martin,

I am stuck at side note 3:
my complete event is below:

Sep 20 11:13:18 1x.xx.xx.1xx0 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:"MONEYPAK_WEBAPP","MONEYPAK_CLASS","Blocked","Attack signature detected","xxxx4520",,"GET /Content/Images/ixx_logo01_module02.gif HTTP/1.1\r\nHost: www.xxxxk.com\r\nUser-Agent: sxx/1.0x6264944] UP.

Please advise.

How can I change hostname in log files?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life