Getting Data In
Highlighted

How can I change hostname in log files?

Communicator

I am trying to change the host name. the name is from the log files.

Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:

the host name is always before ASM:

I tried to change it through transforms.conf but host name is not changing.below is my transforms.conf file
transforms.conf

[host_name]
SOURCE_KEY = _raw
REGEX = \s(\w+.\w+.\w+.\w+) ASM:$
FORMAT = host::$1
DEST_KEY =  MetaData:Host

props.conf

[f5xxx]
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
TIME_PREFIX = x0x.xx.x.xx
category = Custom
pulldown_type = true
TRANSFORMS-register = host_name

How can I change the hostname?
Secondly, if there is a problem in my regex, how can I identify that there is a problem? Any clue from log file?

0 Karma
Highlighted

Re: How can I change hostname in log files?

SplunkTrust
SplunkTrust

Does your log event end with ASM:? If not, remove the dollar sign from the regex as that would stop the regex from matching.

Side note 1, to match literal dots use \. instead of . that matches any character.
Side note 2, you're constricting your host names to four levels / three dots - you probably want to match any non-space hostname by using \S+.
Side note 3, anchoring your regex on ASM: after your variable part is really bad for performance. After getting the hostname change to work, consider anchoring the regex at the beginning of the string, skipping over date-ip-date and then matching the next non-space part as the hostname.

View solution in original post

0 Karma
Highlighted

Re: How can I change hostname in log files?

Communicator

Hi Martin,

I am stuck at side note 3:
my complete event is below:

Sep 20 11:13:18 1x.xx.xx.1xx0 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:"MONEYPAKWEBAPP","MONEYPAKCLASS","Blocked","Attack signature detected","xxxx4520",,"GET /Content/Images/ixxlogo01module02.gif HTTP/1.1\r\nHost: www.xxxxk.com\r\nUser-Agent: sxx/1.0x6264944] UP.

Please advise.

0 Karma
Highlighted

Re: How can I change hostname in log files?

SplunkTrust
SplunkTrust

So... your hostname replacement is working now? All side notes don't contribute to correctness, tackle them after getting the hostname change to work as I've said in the side notes.

Your complete event says my initial guess was accurate, your event doesn't end with ASM:. Remove the dollar sign.

0 Karma
Highlighted

Re: How can I change hostname in log files?

Communicator

yet not successfull.

My regex is folowing:

\s(\S+) ASM:

ASM: is not a part of hostname.
hostname is "ac.dc1.buttercomom.com "
can you please write down the complete transforms.conf file includeing regex. I am missing something

0 Karma
Highlighted

Re: How can I change hostname in log files?

Super Champion

As per @martin_mueller comment can you try below:
transforms.conf

[host_name]
REGEX = ^.{44}(\S+)\sASM
FORMAT = host::$1
DEST_KEY = MetaData:Host

here I am escaping first 44 character(timestamp) and then matching for host name

Highlighted

Re: How can I change hostname in log files?

Path Finder

\w+\s+\d+\s+\d+:\d+:\d+\s+[^\s]+\s\w+\s+\d+\s+\d+:\d+:\d+\s+([^\s]+)

It looks not elegant but it takes only 26 steps and backward matching safe.
https://regex101.com/r/1xLXd0/2

0 Karma