Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to overwrite the host field value with dvc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All, I have a request from the client to overwrite the host field value with the dvc field value from the interesting field in splunk.
example :
index = firewall host=test01 sourcetype=opsec | table host dvc_host
We could see that host = test01 and dvc_host = test02.xxxx.com
Actual requirement:
We want overwrite the "host" field for logs to use to value for the "dvc" field = test02.xxx.com instead of test01 and also wanted to remove ".xxxx.com " so that "test02.xxxxx.com" is written to the "host" field as "test02".
Kindly guide me how to overwrite host value = test01 with dvc filed=test02.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey try this on the indexer
props.conf (indexer)
[<sourcetype>]
TRANSFORMS-host_override = host_override
transforms.conf (indexer)
[host_override]
REGEX = orig=([^\.|\|]+)
DEST_KEY = MetaData:Host
FORMAT = host::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi micahkemp, could you please guide me on this .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is still on my list, but I'm working several other things right now as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Micahkemp, could you please guide me to fix this issue. I am still unable to fix this issue.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want to change the indexed value of host, or just the value at search time? If the former you would need to use an index-time transform to set the value of MetaData:Host. From the transforms.conf doc:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Micahkemp, thanks for your effort on this, yes i need change the value of the host. currently host=test01 is the source from where the data is being ingested in to splunk and other host details are found in the event data.
With the help of the forum, I had executed the below query to overwrite the "host" field for logs to use to value for the "dvc" field and also to remove ".xxxx.com " and write to the "host" field without xxxx.com.
But it did not work as expected, it included the other host details test02,test03 etc under the host field along with the host=test01.
index=firwall sourcetype="opsec:vpn" | rex field=dvc "(?<host>[^\.]+)" | table host dvc
host dvc
test01 test02
test02
test01 test03
test03
Event details:
time=1517397957|loc=10718231|fileid=1517392517|action=decrypt|**orig=test02.xxxx.com**|i/f_dir=inbound|i/f_name=bond0.470|has_accounting=0|uuid=<5a71a7c5,00000005,30f08e0a,c0000000>|product=VPN-1 & FireWall-1|inzone=External|outzone=Internal|rule=250|rule_uid={DAE6-F7DD-4167-BCAC-1DE4B472}|rule_name=DNS|service_id=domain-udp|src=10.x.x.x|s_port=577|dst=dip02.xxxx.com|service=domain-udp|proto=udp|scheme:=IKE|methods:=ESP: AES-128 + SHA1 + PFS (group 2)|peer gateway=VPN_AWS_Gateway_Prod2|community=vpn-xxxxe799|fw_subproduct=VPN-1|vpn_feature_name=VPN|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={0181B41F-6A86-E04C-8E1E-38146FBFD921};**mgmt=test01**;date=1517158905;policy_name=Global-2]|origin_sic_name=CN=test02.xxxx.com,O=dron01.xxxx.com.evv25
Getting the other host details under selected fields, along with the host=test01
Note: test01 is the source from where the data is ingested into splunk and other hosts values are found in the events.
Need to over ride the host=test01 when the data is getting indexed itself and in the host field we should get only the host values orig=test02.xxxx.com from the event data.
Props.conf Details:
[opsec:vpn]
KV_MODE = none
REPORT-0policy_id_tag_for_opsec = policy_id_tag_for_opsec,mgmt_for_opsec,
REPORT-action_as_threat_emulation_action = action_as_threat_emulation_action
REPORT-auto_kv_for_opsec = auto_kv_for_opsec
FIELDALIAS-dvc_for_opsec = orig as dvc
There are lot many EVAL and FIELDALIAS in the props for this sourcetype.
Transforms.conf:
[opsec_sourcetype_vpn]
REGEX = fw_subproduct\=VPN-1
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::opsec:vpn
[action_as_threat_emulation_action]
REGEX = action\=([^|]+)
FORMAT = te_action::$1
[auto_kv_for_opsec]
REGEX = ([^|=]*)\b:?=([^|]*)
FORMAT = $1::$2
[policy_id_tag_for_opsec]
REGEX = __policy_id_tag\=([^|]+)
FORMAT = policy_id_tag::$1
Kindly guide me how to overwrite host value = test01 with dvc filed=test02.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Hemnaath,
Try this:
index = firewall host=test01 sourcetype=opsec | table host dvc_host|rex field=dvc_host"(?<host>\w+)"
Try this run anywhere search:
|makeresults|eval host = "test01", dvc_host = "test02.xxxx.com"|rex field=dvc_host"(?<host>\w+)"
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thanks for your effort on this, but it did not fetch the result as expected. After executing the above query I had got the below output.
index=firwall | rex field=dvc "(?<host>\w+)" | table host dvc
host dvc
test01 test02
test02
test01 test03
test03
Event details:
time=1517397957|loc=10718231|fileid=1517392517|action=decrypt|**orig=test02.xxxx.com**|i/f_dir=inbound|i/f_name=bond0.470|has_accounting=0|uuid=<5a71a7c5,00000005,30f08e0a,c0000000>|product=VPN-1 & FireWall-1|inzone=External|outzone=Internal|rule=250|rule_uid={DAE6-F7DD-4167-BCAC-1DE4B472}|rule_name=DNS|service_id=domain-udp|src=10.x.x.x|s_port=577|dst=dip02.xxxx.com|service=domain-udp|proto=udp|scheme:=IKE|methods:=ESP: AES-128 + SHA1 + PFS (group 2)|peer gateway=VPN_AWS_Gateway_Prod2|community=vpn-xxxxe799|fw_subproduct=VPN-1|vpn_feature_name=VPN|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={0181B41F-6A86-E04C-8E1E-38146FBFD921};**mgmt=test01**;date=1517158905;policy_name=Global-2]|origin_sic_name=CN=test02.xxxx.com,O=dron01.xxxx.com.evv25
And in the selected field host=test01,test02, test03 etc
Note: test01 is the source from where the data is ingested into splunk and other hosts values are found in the events.
Need to over ride the host=test01 when the data is getting indexed itself. So kindly guide me how to fix this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you provide the output of
index=firwall | rex field=dvc_host "(?<host>\w+)" | table host dvc dvc_host
As here regex is applied on dvc_host field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey regex got applied to the field dvc and i have already pasted the output in my previous comment.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
