Solved: How to change host with props.conf and transforms....

ilhwan · ‎03-09-2022

I have an add-on running on a heavy forwarder that is using the name of the HF as the host. I'm trying to change the host to something more useful. All of the events are of the sourcetype rubrik:*.

Here is a sample event:

{"_time": "2022-03-07T23:31:00.000Z", "clusterName": "my-host", "locationId": "XXXmaskedXXX", "locationName": "XXXmaskedXXX", "type": "Outgoing", "value": 0}

I would like to use "my-host" as the host. This is what I'm trying with no success.

props.conf:

[rubrik:*]
TRANSFORMS-myhost = hostoverride

transforms.conf:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\"\:\s\"(.+)\".+
FORMAT = host::$1

ilhwan · ‎03-11-2022

I got it to work. The problem was props.conf. I had to not use a wildcard in the sourcetype.

This is what is working for me.

props.conf:

[rubrik:archivebandwidth]
TRANSFORMS-hostoverride = hostoverride

[rubrik:archiveusage]
TRANSFORMS-hostoverride = hostoverride

[rubrik:clusteriostats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:eventfeed]
TRANSFORMS-hostoverride = hostoverride

[rubrik:mvsummary]
TRANSFORMS-hostoverride = hostoverride

[rubrik:nodeiostats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:nodestats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:orgcapacityreport]
TRANSFORMS-hostoverride = hostoverride

[rubrik:runwayremaining]
TRANSFORMS-hostoverride = hostoverride

[rubrik:storagesummary]
TRANSFORMS-hostoverride = hostoverride

transforms.conf:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\"
FORMAT = host::$1

View solution in original post

gcusello · ‎03-09-2022

Hi @ilhwan,

only one question: where do you located props and transforms?

In your case they must located in the Heavy Forwarder.

Ciao.

Giuseppe

ilhwan · ‎03-10-2022

Yes, it's on the HF that has the add-on. It's in the local directory.

gcusello · ‎03-10-2022

Hi @ilhwan,

the regex you used in transforms.conf isn't correct, please try

\"clusterName\"\:\s\"([^\"]+)\".+

that you can test at https://regex101.com/r/Tt1gyI/1

Ciao.

Giuseppe

ilhwan · ‎03-11-2022

That captures the entire rest of the line instead of just the field I'm interested in. This is what I'm trying now:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\"
FORMAT = host::$1

ilhwan · ‎03-11-2022

I got it to work. The problem was props.conf. I had to not use a wildcard in the sourcetype.

This is what is working for me.

props.conf:

[rubrik:archivebandwidth]
TRANSFORMS-hostoverride = hostoverride

[rubrik:archiveusage]
TRANSFORMS-hostoverride = hostoverride

[rubrik:clusteriostats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:eventfeed]
TRANSFORMS-hostoverride = hostoverride

[rubrik:mvsummary]
TRANSFORMS-hostoverride = hostoverride

[rubrik:nodeiostats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:nodestats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:orgcapacityreport]
TRANSFORMS-hostoverride = hostoverride

[rubrik:runwayremaining]
TRANSFORMS-hostoverride = hostoverride

[rubrik:storagesummary]
TRANSFORMS-hostoverride = hostoverride

transforms.conf:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\"
FORMAT = host::$1

gcusello · ‎03-11-2022

Hi @ilhwan,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

How to change host with props.conf and transforms.conf

heavy forwarder

host

props.conf

transforms.conf

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to change host with props.conf and transforms.conf

heavy forwarder

host

props.conf

transforms.conf

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits