Getting Data In

Rewrite hostname don't work

Path Finder

Hi all,
I need to append the domain to all hosts that send data to my splunk indexer, to avoid duplications (hostname and hostname.domain are the same host)

This is my transforms.conf


and props.conf

fixhost = syslogadd_fqdn

TRANSFORMS-zzfixhost = syslogaddfqdn

In $SPLUNK_HOME/var/log/splunk/splunkd.log I found this error:

/opt/splunk/var/log/splunk/splunkd.log:10-14-2011 13:22:58.652 +0200 ERROR regexExtractionProcessor - DESTKEY or WRITEMETA=true must be specified tranformname=syslogadd_fqdn

What is wrong?
I tried to remove WRITEMETA from my rules, change its position, but my indexer still log hostname on syslog souce type and hostname.domain on linuxsecure source type (because on it my system log fqdn, the rule don't work).

Any hints?

0 Karma

You might have a conflict with the [syslog-host] rule in $SPLUNK_HOME/etc/system/default/transforms.conf, which is called by props.conf as:

TRANSFORMS = syslog-host

Maybe your rule is evaluated first, but then its results are overwritten by the default one.
You could try to force an order as:

TRANSFORMS-zz_fix_host = syslog-host, syslog_add_fqdn

Have you inspected your runtime configurations with btool?

splunk btool --debug props list

Other than that, I recall the "-" when used in character classes should be either escaped or at the end of the class itself, otherwise it means a range.

REGEX = host::([A-Za-z][\w\-]*[A-Za-z0-9])$
FORMAT = host::$1.domain.local
DEST_KEY = MetaData:Host
SOURCE_KEY = MetaData:Host

The write_meta should not be necessary in this case.

Path Finder

I'll check asap
Grazie Paolo 🙂

0 Karma

Splunk Employee
Splunk Employee

I would start troubleshooting the problem by removing the host:: from the REGEX= line:
The SOURCE_KEY=MetaData:Host makes the REGEX operator work only on the host fied.