Hello everyone, 🙂
i have the following question.
In my environment i have 3 different UF where a scripted input is working with the original servername to extract some data. Thi sscript is inside one app i deployed the UF, so there is only one inputs.conf working.
What i need to do, is to rename the host name.
I Know that i can do something with the transforms.conf and props.conf, but i dont know how to do this.
example:
Original Hostname | Needed Hostname |
slc4E45 | EMP |
slc4P49 | PMP |
slc4L47 | LMP |
Maybe something like...
host = eval(case(host=slc4E45, EMP, host=slc4P49, PMP, host=slc4L47, LMP))
inside the transforms.conf.
Thank you for your help.
Hi @klischatb,
as you can read at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Overridedefaulthostassignments you can override host value based on a regex or a value,
in your case you have to put a props.conf and a transform.conf in your indexer or (when present) on your Heavy Forwarders:
props.conf
[host::slc4E45]
TRANSFORMS-slc4E45 = override_host_slc4E45
[host::slc4P49]
TRANSFORMS-slc4E45 = override_host_slc4E45
[host::slc4L47]
TRANSFORMS-slc4E45 = override_host_slc4E45
transforms.conf
[override_host_slc4E45]
REGEX = .
FORMAT = EMP
DEST_KEY = MetaData:Host
[override_host_slc4P49]
REGEX = .
FORMAT = PMP
DEST_KEY = MetaData:Host
[override_host_slc4L47]
REGEX = .
FORMAT = LMP
DEST_KEY = MetaData:Host
Remember to restart Splunk after conf files modifying.
Ciao.
Giuseppe
Thank you a lot @gcusello. ✔️
Hi @klischatb,
as you can read at https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Overridedefaulthostassignments you can override host value based on a regex or a value,
in your case you have to put a props.conf and a transform.conf in your indexer or (when present) on your Heavy Forwarders:
props.conf
[host::slc4E45]
TRANSFORMS-slc4E45 = override_host_slc4E45
[host::slc4P49]
TRANSFORMS-slc4E45 = override_host_slc4E45
[host::slc4L47]
TRANSFORMS-slc4E45 = override_host_slc4E45
transforms.conf
[override_host_slc4E45]
REGEX = .
FORMAT = EMP
DEST_KEY = MetaData:Host
[override_host_slc4P49]
REGEX = .
FORMAT = PMP
DEST_KEY = MetaData:Host
[override_host_slc4L47]
REGEX = .
FORMAT = LMP
DEST_KEY = MetaData:Host
Remember to restart Splunk after conf files modifying.
Ciao.
Giuseppe