- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Props/transforms issue with host extraction an...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Props/transforms issue with host extraction and Line breaking
Transforms.conf
[force_host_for_testdata]
DEST_KEY = MetaData:Host
REGEX = server:([^\]+)
FORMAT = host::$1
[force_host_for_testdata_1]
DEST_KEY = MetaData:Host
REGEX = MQ:\s+([^\]+)
FORMAT = host::$1
Props.conf
[test_st]
TZ = GMT
LINE_BREAKER = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+Information:
SHOULD_LINEMERGE = false
TRANSFORMS-force_host_for_testdata = force_host_for_testdata
TRANSFORMS-force_host_for_testdata_1 = force_host_for_testdata_1
This config works on my local machine, but when pushed to heavy forwarders it doesn't work!
Need suggestions as to what is going wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is test_st sourcetype data coming from Heavy Forwarder ? If yes then props.conf and transforms.conf should be on HF and not on IDX.
Additionally can you please provide some sample data (Please mask any sensitive data).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is coming from HF.
2017-08-02 02:16:15 Information: Process returned code XXX
ProcessLauncher\PL (Fast)
Command output:
Operating system is 32 bit
Application is running in 32 bit mode
SOME PROCESS SUCCESSFULLY EXECUTED - CODE XXX
Process exited with code XXX
Parameters:
Test.exe /component:Solution /process:"Test Process" /platform:Data /server:test-server\ABCD,12345 /db:TEST
Start: 02 Aug 2017 02:15:31
End: 02 Aug 2017 02:16:15
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your server name is test-server then try below config in transforms.conf
[force_host_for_testdata]
DEST_KEY = MetaData:Host
REGEX = server\:([^\\]+)
FORMAT = host::$1
And you have provided only one sample data so I am not sure about another config but give this a try or provide sample data for regex MQ:\s+([^\]+)
[force_host_for_testdata_1]
DEST_KEY = MetaData:Host
REGEX = MQ\:\s+([^\\]+)
FORMAT = host::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found it working, thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need to put props.conf and transforms.conf on indexer not on forwarders. and then restart the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this feed is coming from HF so is there still a need to deploy on indexers
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
