I'm trying to put a host in a host field before indexing the csv file below.
【CSV file】
#ServerName001
#JobName,Start time,End time,Elapsed time,Status
JobName_01,11/05/21 19:08:07,11/05/21 19:08:41,00:00:34,Succeeded
JobName_02,11/05/21 20:49:53,11/05/21 21:19:06,00:29:13,Succeeded
JobName_03,11/05/21 21:53:10,11/05/21 21:53:15,00:00:05,Succeeded
I set TRANSFORMS in props.conf with changeHost and set the contents of changeHost in transfoms.conf as follows.
【changeHost】
[changeHost]
SOURCE_KEY = _raw
REGEX = \#(\S+)\s\#:
DEST_KEY = MetaData:Host
FORMAT = host::$1
I want to set host field as ServerName001, but it doesn't work.
Can anyone give me some advice?
Depending on what other settings are in props.conf, it's possible the # lines are ignored.
Even so, however, each line of the CSV file is processed independently with the transform attempting to find "#". When it fails to find a match (because there is no "#" on the line) the host name is not written
I'm not aware of a method to extract a field and then use it in every event that follows. Perhaps you coudl suggest it at https://ideas.splunk.com