Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rewrite hostname don't work

bizza
Path Finder
‎10-14-2011 05:02 AM

Hi all,
I need to append the domain to all hosts that send data to my splunk indexer, to avoid duplications (hostname and hostname.domain are the same host)

This is my transforms.conf

[syslog_add_fqdn]
REGEX=host::([A-Za-z][-_A-Za-z0-9]*[A-Za-z0-9])$
FORMAT=host::$1.domain.local
WRITE_META=true
DEST_KEY=MetaData:Host
SOURCE_KEY=MetaData:Host

and props.conf

[linux_secure]
TRANSFORMS-zz_fix_host = syslog_add_fqdn

[syslog]
TRANSFORMS-zz_fix_host = syslog_add_fqdn

In $SPLUNK_HOME/var/log/splunk/splunkd.log I found this error:

/opt/splunk/var/log/splunk/splunkd.log:10-14-2011 13:22:58.652 +0200 ERROR regexExtractionProcessor - DEST_KEY or WRITE_META=true must be specified tranform_name=syslog_add_fqdn

What is wrong?
I tried to remove WRITE_META from my rules, change its position, but my indexer still log hostname on syslog souce type and hostname.domain on linux_secure source type (because on it my system log fqdn, the rule don't work).

Any hints?

0 Karma
Reply

Paolo_Prigione
Builder
‎10-15-2011 04:07 AM

You might have a conflict with the [syslog-host] rule in $SPLUNK_HOME/etc/system/default/transforms.conf, which is called by props.conf as:

[syslog]
....
TRANSFORMS = syslog-host

Maybe your rule is evaluated first, but then its results are overwritten by the default one.
You could try to force an order as:

[syslog]
...
TRANSFORMS = 
TRANSFORMS-zz_fix_host = syslog-host, syslog_add_fqdn

Have you inspected your runtime configurations with btool?

splunk btool --debug props list

Other than that, I recall the "-" when used in character classes should be either escaped or at the end of the class itself, otherwise it means a range.

[syslog_add_fqdn]
REGEX = host::([A-Za-z][\w\-]*[A-Za-z0-9])$
FORMAT = host::$1.domain.local
DEST_KEY = MetaData:Host
SOURCE_KEY = MetaData:Host

The write_meta should not be necessary in this case.

Reply

bizza
Path Finder
‎10-18-2011 11:32 AM

I'll check asap
Grazie Paolo 🙂

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎10-14-2011 09:10 AM

I would start troubleshooting the problem by removing the host:: from the REGEX= line:
The SOURCE_KEY=MetaData:Host makes the REGEX operator work only on the host fied.

Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...