Getting Data In

Props and transforms hostname override not working

ayomotukoya
Explorer

Hi all. Having an issue with hostname override for snmp logs. An issue I’m having is i created this props and transforms to get the agent_hostname from the logs to override the host (syslog011) for these snmp trap logs but it doesn’t seem to have worked. Not sure what the mistake is herE.

TRANSFORMS.CONF

[snmptrapd_kv]

DELIMS - "\n," ="

[snmp_hostname_change]

DEST_KEY-MetaData: : Host

REGEX-Agent_Hostname = (•*)

FORMAT-host:: $1

PROPS.CONF

[snmptrapd]

disabled = false

LINE BREAKER = ([\r\n]+) Agent_ Address\s=

MAX TIMESTAMP LOOKAHEAD = 30

NO_BINARY_CHECK - true

SHOULD LINEMERGE = false

TIME

_FORMAT = SY-8m-%d 8H:&M: :S

TIME

_PREFIX = Datels=\s

EXTRACT-node = ^[^\[\n]*\[(?P<node>[^\]]+)

REPORT-snmptrapd = snmptrapd_kv

TRANSFORMS-snmp_hostname_change = snmp_hostname_change

 

0 Karma

livehybrid
Super Champion

Hi @ayomotukoya 

Can I check which method you are using to ingest the SNMP data? Is it using Splunk Connect for SNMP? (https://splunk.github.io/splunk-connect-for-snmp/main/) - If so this sends the data to Splunk with HEC so would require a different approach to this problem.

Or is this monitoring local files which are saved to disk from SNMP? If so, is this on a Universal Forwarder (UF) or heavy forwarder (HF)?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Please use code block or preformatted paragraphs for config snippets. It greatly improves readability.

And your config's syntax is completely off. If that is your actual config, use

splunk btool check

to verify your config. If not, please copy-paste your literal settings.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ayomotukoya ,

I suppose that the transforms.conf isn't correct:

[snmp_hostname_change]
DEST_KEY = MetaData::Host
REGEX = Agent_Hostname\s*\=\s*(.*)
FORMAT = host::$1

I can be more detailed and sure if you could share a sample of your logs.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...