Getting Data In

Props/transforms issue with host extraction and Line breaking

Path Finder

Transforms.conf

[force_host_for_testdata]
DEST_KEY = MetaData:Host
REGEX = server:([^\]+)
FORMAT = host::$1

[force_host_for_testdata_1]
DEST_KEY = MetaData:Host
REGEX = MQ:\s+([^\]+)

FORMAT = host::$1

Props.conf
[test_st]
TZ = GMT
LINE_BREAKER = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+Information:
SHOULD_LINEMERGE = false
TRANSFORMS-force_host_for_testdata = force_host_for_testdata
TRANSFORMS-force_host_for_testdata_1 = force_host_for_testdata_1

This config works on my local machine, but when pushed to heavy forwarders it doesn't work!

Need suggestions as to what is going wrong?

0 Karma

SplunkTrust
SplunkTrust

Is test_st sourcetype data coming from Heavy Forwarder ? If yes then props.conf and transforms.conf should be on HF and not on IDX.

Additionally can you please provide some sample data (Please mask any sensitive data).

0 Karma

Path Finder

It is coming from HF.

2017-08-02 02:16:15 Information: Process returned code XXX
ProcessLauncher\PL (Fast)
Command output:
Operating system is 32 bit
Application is running in 32 bit mode

SOME PROCESS SUCCESSFULLY EXECUTED - CODE XXX

Process exited with code XXX
Parameters:
Test.exe /component:Solution /process:"Test Process" /platform:Data /server:test-server\ABCD,12345 /db:TEST
Start: 02 Aug 2017 02:15:31
End: 02 Aug 2017 02:16:15

0 Karma

SplunkTrust
SplunkTrust

If your server name is test-server then try below config in transforms.conf

[force_host_for_testdata]
DEST_KEY = MetaData:Host
REGEX = server\:([^\\]+)
FORMAT = host::$1

And you have provided only one sample data so I am not sure about another config but give this a try or provide sample data for regex MQ:\s+([^\]+)

[force_host_for_testdata_1]
DEST_KEY = MetaData:Host
REGEX = MQ\:\s+([^\\]+)
FORMAT = host::$1
0 Karma

Path Finder

Found it working, thanks

0 Karma

SplunkTrust
SplunkTrust

you need to put props.conf and transforms.conf on indexer not on forwarders. and then restart the indexer.

0 Karma

Path Finder

this feed is coming from HF so is there still a need to deploy on indexers

0 Karma