Solved: How to change host with props.conf and transforms....

ilhwan · ‎03-09-2022

I have an add-on running on a heavy forwarder that is using the name of the HF as the host. I'm trying to change the host to something more useful. All of the events are of the sourcetype rubrik:*.

Here is a sample event:

{"_time": "2022-03-07T23:31:00.000Z", "clusterName": "my-host", "locationId": "XXXmaskedXXX", "locationName": "XXXmaskedXXX", "type": "Outgoing", "value": 0}

I would like to use "my-host" as the host. This is what I'm trying with no success.

props.conf:

[rubrik:*]
TRANSFORMS-myhost = hostoverride

transforms.conf:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\"\:\s\"(.+)\".+
FORMAT = host::$1

ilhwan · ‎03-11-2022

I got it to work. The problem was props.conf. I had to not use a wildcard in the sourcetype.

This is what is working for me.

props.conf:

[rubrik:archivebandwidth]
TRANSFORMS-hostoverride = hostoverride

[rubrik:archiveusage]
TRANSFORMS-hostoverride = hostoverride

[rubrik:clusteriostats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:eventfeed]
TRANSFORMS-hostoverride = hostoverride

[rubrik:mvsummary]
TRANSFORMS-hostoverride = hostoverride

[rubrik:nodeiostats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:nodestats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:orgcapacityreport]
TRANSFORMS-hostoverride = hostoverride

[rubrik:runwayremaining]
TRANSFORMS-hostoverride = hostoverride

[rubrik:storagesummary]
TRANSFORMS-hostoverride = hostoverride

transforms.conf:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\"
FORMAT = host::$1

View solution in original post

gcusello · ‎03-09-2022

Hi @ilhwan,

only one question: where do you located props and transforms?

In your case they must located in the Heavy Forwarder.

Ciao.

Giuseppe

ilhwan · ‎03-10-2022

Yes, it's on the HF that has the add-on. It's in the local directory.

gcusello · ‎03-10-2022

Hi @ilhwan,

the regex you used in transforms.conf isn't correct, please try

\"clusterName\"\:\s\"([^\"]+)\".+

that you can test at https://regex101.com/r/Tt1gyI/1

Ciao.

Giuseppe

ilhwan · ‎03-11-2022

That captures the entire rest of the line instead of just the field I'm interested in. This is what I'm trying now:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\"
FORMAT = host::$1

ilhwan · ‎03-11-2022

I got it to work. The problem was props.conf. I had to not use a wildcard in the sourcetype.

This is what is working for me.

props.conf:

[rubrik:archivebandwidth]
TRANSFORMS-hostoverride = hostoverride

[rubrik:archiveusage]
TRANSFORMS-hostoverride = hostoverride

[rubrik:clusteriostats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:eventfeed]
TRANSFORMS-hostoverride = hostoverride

[rubrik:mvsummary]
TRANSFORMS-hostoverride = hostoverride

[rubrik:nodeiostats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:nodestats]
TRANSFORMS-hostoverride = hostoverride

[rubrik:orgcapacityreport]
TRANSFORMS-hostoverride = hostoverride

[rubrik:runwayremaining]
TRANSFORMS-hostoverride = hostoverride

[rubrik:storagesummary]
TRANSFORMS-hostoverride = hostoverride

transforms.conf:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \"clusterName\":\s\"([a-zA-Z-_]+)\"
FORMAT = host::$1

gcusello · ‎03-11-2022

Hi @ilhwan,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

How to change host with props.conf and transforms.conf

heavy forwarder

host

props.conf

transforms.conf

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple

Are you a member of the Splunk Community?

How to change host with props.conf and transforms.conf

heavy forwarder

host

props.conf

transforms.conf

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple