Question about host field

AHA-0114 · ‎11-18-2021

I'm trying to put a host in a host field before indexing the csv file below.

【CSV file】

#ServerName001
#JobName,Start time,End time,Elapsed time,Status
JobName_01,11/05/21 19:08:07,11/05/21 19:08:41,00:00:34,Succeeded
JobName_02,11/05/21 20:49:53,11/05/21 21:19:06,00:29:13,Succeeded
JobName_03,11/05/21 21:53:10,11/05/21 21:53:15,00:00:05,Succeeded

I set TRANSFORMS in props.conf with changeHost and set the contents of changeHost in transfoms.conf as follows.

【changeHost】

[changeHost]
SOURCE_KEY = _raw
REGEX = \#(\S+)\s\#:
DEST_KEY = MetaData:Host
FORMAT = host::$1

I want to set host field as ServerName001, but it doesn't work.
Can anyone give me some advice?

richgalloway · ‎11-18-2021

Depending on what other settings are in props.conf, it's possible the # lines are ignored.

Even so, however, each line of the CSV file is processed independently with the transform attempting to find "#". When it fails to find a match (because there is no "#" on the line) the host name is not written

I'm not aware of a method to extract a field and then use it in every event that follows. Perhaps you coudl suggest it at https://ideas.splunk.com

---
If this reply helps you, Karma would be appreciated.

Question about host field

host

index

props.conf

transforms.conf

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!