Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace the host in the event with the output from an event?

praspai
Path Finder
‎08-03-2015 02:37 AM

We have a script running on <script-server> which produces the output as below. We are getting service stats running on different servers like Host-Server-A and Host-Server-B. Currently, the event is tagged to the server where the script is running. Can we change the configuration such that host=<Script-Server> will get replaced with Host.HostName in the event?

8/3/15 
9:13:00.000 AM  
KpiId="193"|kpiName="Error Count: <Host-Server-A>, <port>, Service-name"|IsService.Svc="Service-name"|Host.HostName="Host-Server"|IntegrationServer.Port="<port>"|IsPackage.Name="<service-folder>"|date="2015-08-03T09:13:00Z"|value="5.0"

host = <Script-Server> source = /opt/splunk/etc/apps/B2B/bin/runOptimizeScript.sh sourcetype = OptimizeData

8/3/15 
9:13:00.000 AM  
KpiId="193"|kpiName="Error Count: <Host-Server-B>, <port>, Service-name"|IsService.Svc="Service-name"|Host.HostName="Host-Server"|IntegrationServer.Port="<port>"|IsPackage.Name="<service-folder>"|date="2015-08-03T09:13:00Z"|value="5.0"

host = <Script-Server> source = /opt/splunk/etc/apps/B2B/bin/runOptimizeScript.sh sourcetype = OptimizeData
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 06:02 AM

You need to create the following changes and then deploy them to each of your Indexers and restart the Splunk instances there.

In props.conf:

[OptimizeData]
TRANSFORMS-hostoverride=hostoverride

In transforms.conf:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = Error\s+Count:\s+([^,]+)
FORMAT = host::$1

The documentation is here:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/overridedefaulthostassignments

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-03-2015 06:02 AM

You need to create the following changes and then deploy them to each of your Indexers and restart the Splunk instances there.

In props.conf:

[OptimizeData]
TRANSFORMS-hostoverride=hostoverride

In transforms.conf:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = Error\s+Count:\s+([^,]+)
FORMAT = host::$1

The documentation is here:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/overridedefaulthostassignments

Reply
Solved! Jump to solution

praspai
Path Finder
‎08-20-2015 01:08 AM

Hi,

Can you help me with REGEX if I want to capture value assigned to Host.HostName="Host-Server" ?

Thanks,
P

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-20-2015 01:59 PM

Use this:

REGEX = Error\s+Count:\s+([^,]+).*\|Host\.HostName="(?<HostServer>[^"]+)"
0 Karma
Reply
Solved! Jump to solution

praspai
Path Finder
‎08-23-2015 11:29 PM

Thanks a lot ..

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...