Solved: Re: How do I route based on host and source type?

lukessi · ‎09-24-2018

Hi,

I am routing traffic to a 3rd party. I have done some of this based on a host and others based on the source type.

But I now need to route based on a host and a sourcetype and I can't work out how to do it?

Any tips of where to look?

FrankVl · ‎09-24-2018

I think you could do something along these lines, triggering the transforms based on sourcetype, but inside the transforms config filter by host using the REGEX.

props.conf:

[yoursourcetype]
TRANSFORMS-setrouting = your-routing

transforms.conf

[your-routing]
SOURCE_KEY = MetaData:Host
REGEX = (host1|host2|...|hostn)
DEST_KEY = _TCP_ROUTING
FORMAT = your-outputgroup

View solution in original post

FrankVl · ‎09-24-2018

I think you could do something along these lines, triggering the transforms based on sourcetype, but inside the transforms config filter by host using the REGEX.

props.conf:

[yoursourcetype]
TRANSFORMS-setrouting = your-routing

transforms.conf

[your-routing]
SOURCE_KEY = MetaData:Host
REGEX = (host1|host2|...|hostn)
DEST_KEY = _TCP_ROUTING
FORMAT = your-outputgroup

krithikar · ‎04-21-2023

What if we have multiple hosts , say 500 and above can we mark and * to pick up all the host name .

REGEX = (host*)

If my host name starts with ABCD and if i say ABCD* will this work ?. Or say my events have these hosts under a field called computername

REGEX = (?ms)(ComputerName=ABCD*.domain.com)

lukessi · ‎09-24-2018

Cheers mate I came to that solution too. Just double checking if there was another way.

How do I route based on host and source type?

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?