Getting Data In

How to override the host and indexer if they are from a specific IP address?

Communicator

Hi everyone,

I would like overwrite the host and indexer coming from my Splunk universal forwarder in my main indexer if they are from a specific IP address.
The logs are coming from an internal network, so the fields IP are between 10.30.75.1 and 10.30.76.100.

I write down a props.conf and a transforms.conf, but they are not actually working. Could someone help me?

props:

 [subnetwork1]
 EXTRACT-extract_ip = (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
 TRANSFORMS-subnetwork1=subnetwork1

transforms:

[subnetwork1]
REGEX = (?<ip>\10\.\30\.\*\.\*)
FORMAT = host::$1
INDEX=subnetwork1

Could someone help me?

0 Karma
1 Solution

Champion

Only heavy forwarders and Indexer have the ability to overwrite meta fields

To overwrite index your transform needs to look something like this

#transfroms.conf
[index_rename]
REGEX = (\10\.\30\.\*\.\*)
DEST_KEY = _MetaData:Index
FORMAT = subnetwork1

[host_rename]
REGEX = (\10\.\30\.\*\.\*)
DEST_KEY = _MetaData:Host
FORMAT = $1

#props.conf
[mySourcetype]
TRANSFORMS-renames = host_rename, index_rename

View solution in original post

Communicator

Hi Federica,
you are pretty close. Fieldtransformation is done on your indexer (or a heavy forwarder). The following configuration should work:

props.conf

 [test]
 TRANSFORMS-ipextraction = ip-extraction

transforms.conf

 [ip-extraction]
 DEST_KEY = MetaData:Host
 REGEX =(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
 FORMAT = $1

In the props.conf [test] is the sourcetype of your input. I assume you have to change it to [subnetwork1], if thats the sourcetype of your input.

I hope it helps.

Greetings

Communicator

Thank you! 🙂

0 Karma

Champion

Only heavy forwarders and Indexer have the ability to overwrite meta fields

To overwrite index your transform needs to look something like this

#transfroms.conf
[index_rename]
REGEX = (\10\.\30\.\*\.\*)
DEST_KEY = _MetaData:Index
FORMAT = subnetwork1

[host_rename]
REGEX = (\10\.\30\.\*\.\*)
DEST_KEY = _MetaData:Host
FORMAT = $1

#props.conf
[mySourcetype]
TRANSFORMS-renames = host_rename, index_rename

View solution in original post

Communicator

bmacias84 was faster 🙂

0 Karma