I need to append the domain to all hosts that send data to my splunk indexer, to avoid duplications (hostname and hostname.domain are the same host)
This is my transforms.conf
TRANSFORMS-zzfixhost = syslogadd_fqdn
TRANSFORMS-zzfixhost = syslogaddfqdn
In $SPLUNK_HOME/var/log/splunk/splunkd.log I found this error:
/opt/splunk/var/log/splunk/splunkd.log:10-14-2011 13:22:58.652 +0200 ERROR regexExtractionProcessor - DESTKEY or WRITEMETA=true must be specified tranformname=syslogadd_fqdn
What is wrong?
I tried to remove WRITEMETA from my rules, change its position, but my indexer still log hostname on syslog souce type and hostname.domain on linuxsecure source type (because on it my system log fqdn, the rule don't work).
You might have a conflict with the [syslog-host] rule in $SPLUNK_HOME/etc/system/default/transforms.conf, which is called by props.conf as:
[syslog] .... TRANSFORMS = syslog-host
Maybe your rule is evaluated first, but then its results are overwritten by the default one.
You could try to force an order as:
[syslog] ... TRANSFORMS = TRANSFORMS-zz_fix_host = syslog-host, syslog_add_fqdn
Have you inspected your runtime configurations with btool?
splunk btool --debug props list
Other than that, I recall the "-" when used in character classes should be either escaped or at the end of the class itself, otherwise it means a range.
[syslog_add_fqdn] REGEX = host::([A-Za-z][\w\-]*[A-Za-z0-9])$ FORMAT = host::$1.domain.local DEST_KEY = MetaData:Host SOURCE_KEY = MetaData:Host
The write_meta should not be necessary in this case.