- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Rename host during indexing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone, 🙂
i have the following question.
In my environment i have 3 different UF where a scripted input is working with the original servername to extract some data. Thi sscript is inside one app i deployed the UF, so there is only one inputs.conf working.
What i need to do, is to rename the host name.
I Know that i can do something with the transforms.conf and props.conf, but i dont know how to do this.
example:
| Original Hostname | Needed Hostname |
| slc4E45 | EMP |
| slc4P49 | PMP |
| slc4L47 | LMP |
Maybe something like...
host = eval(case(host=slc4E45, EMP, host=slc4P49, PMP, host=slc4L47, LMP))
inside the transforms.conf.
Thank you for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @klischatb,
as you can read at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Overridedefaulthostassignments you can override host value based on a regex or a value,
in your case you have to put a props.conf and a transform.conf in your indexer or (when present) on your Heavy Forwarders:
props.conf
[host::slc4E45]
TRANSFORMS-slc4E45 = override_host_slc4E45
[host::slc4P49]
TRANSFORMS-slc4E45 = override_host_slc4E45
[host::slc4L47]
TRANSFORMS-slc4E45 = override_host_slc4E45transforms.conf
[override_host_slc4E45]
REGEX = .
FORMAT = EMP
DEST_KEY = MetaData:Host
[override_host_slc4P49]
REGEX = .
FORMAT = PMP
DEST_KEY = MetaData:Host
[override_host_slc4L47]
REGEX = .
FORMAT = LMP
DEST_KEY = MetaData:HostRemember to restart Splunk after conf files modifying.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you a lot @gcusello. ✔️
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @klischatb,
as you can read at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Overridedefaulthostassignments you can override host value based on a regex or a value,
in your case you have to put a props.conf and a transform.conf in your indexer or (when present) on your Heavy Forwarders:
props.conf
[host::slc4E45]
TRANSFORMS-slc4E45 = override_host_slc4E45
[host::slc4P49]
TRANSFORMS-slc4E45 = override_host_slc4E45
[host::slc4L47]
TRANSFORMS-slc4E45 = override_host_slc4E45transforms.conf
[override_host_slc4E45]
REGEX = .
FORMAT = EMP
DEST_KEY = MetaData:Host
[override_host_slc4P49]
REGEX = .
FORMAT = PMP
DEST_KEY = MetaData:Host
[override_host_slc4L47]
REGEX = .
FORMAT = LMP
DEST_KEY = MetaData:HostRemember to restart Splunk after conf files modifying.
Ciao.
Giuseppe
Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!
Introducing Edge Processor: Next Gen Data Transformation
Take the 2021 Splunk Career Survey for $50 in Amazon Cash
