Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to change host with props.conf and transforms....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an add-on running on a heavy forwarder that is using the name of the HF as the host. I'm trying to change the host to something more useful. All of the events are of the sourcetype rubrik:*.
Here is a sample event:
{"_time": "2022-03-07T23:31:00.000Z", "clusterName": "my-host", "locationId": "XXXmaskedXXX", "locationName": "XXXmaskedXXX", "type": "Outgoing", "value": 0}
I would like to use "my-host" as the host. This is what I'm trying with no success.
props.conf:
[rubrik:*]
TRANSFORMS-myhost = hostoverride
transforms.conf:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\"\:\s\"(.+)\".+
FORMAT = host::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got it to work. The problem was props.conf. I had to not use a wildcard in the sourcetype.
This is what is working for me.
props.conf:
[rubrik:archivebandwidth]
TRANSFORMS-hostoverride = hostoverride
[rubrik:archiveusage]
TRANSFORMS-hostoverride = hostoverride
[rubrik:clusteriostats]
TRANSFORMS-hostoverride = hostoverride
[rubrik:eventfeed]
TRANSFORMS-hostoverride = hostoverride
[rubrik:mvsummary]
TRANSFORMS-hostoverride = hostoverride
[rubrik:nodeiostats]
TRANSFORMS-hostoverride = hostoverride
[rubrik:nodestats]
TRANSFORMS-hostoverride = hostoverride
[rubrik:orgcapacityreport]
TRANSFORMS-hostoverride = hostoverride
[rubrik:runwayremaining]
TRANSFORMS-hostoverride = hostoverride
[rubrik:storagesummary]
TRANSFORMS-hostoverride = hostoverride
transforms.conf:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\"
FORMAT = host::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ilhwan,
only one question: where do you located props and transforms?
In your case they must located in the Heavy Forwarder.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it's on the HF that has the add-on. It's in the local directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ilhwan,
the regex you used in transforms.conf isn't correct, please try
\"clusterName\"\:\s\"([^\"]+)\".+that you can test at https://regex101.com/r/Tt1gyI/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That captures the entire rest of the line instead of just the field I'm interested in. This is what I'm trying now:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\"
FORMAT = host::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got it to work. The problem was props.conf. I had to not use a wildcard in the sourcetype.
This is what is working for me.
props.conf:
[rubrik:archivebandwidth]
TRANSFORMS-hostoverride = hostoverride
[rubrik:archiveusage]
TRANSFORMS-hostoverride = hostoverride
[rubrik:clusteriostats]
TRANSFORMS-hostoverride = hostoverride
[rubrik:eventfeed]
TRANSFORMS-hostoverride = hostoverride
[rubrik:mvsummary]
TRANSFORMS-hostoverride = hostoverride
[rubrik:nodeiostats]
TRANSFORMS-hostoverride = hostoverride
[rubrik:nodestats]
TRANSFORMS-hostoverride = hostoverride
[rubrik:orgcapacityreport]
TRANSFORMS-hostoverride = hostoverride
[rubrik:runwayremaining]
TRANSFORMS-hostoverride = hostoverride
[rubrik:storagesummary]
TRANSFORMS-hostoverride = hostoverride
transforms.conf:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\"
FORMAT = host::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ilhwan,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
