Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to extract field and trim log after?

bosseres
Contributor
‎12-27-2022 06:54 AM

Hello everyone! I am trying to extract hostname from syslog-heading, and after trim it? Is it technically possible?

My props.conf:

[my_sourcetype]
EXTRACT-host = my_regex_here
SEDCMD-strip_heading = my_regex_here
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true

This not working. It's extracting field without trimming heading, but together this not working.

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-27-2022 09:40 AM

There are several things going on here.

EXTRACT directive crates a search-time extraction, so you can't use it to fetch data from the part of the event you already discarded during ingestion.

Anyway, host is an indexed field (and one of the important default fields) so you should not try to overwrite it with search-time extractions.

Typically, hostname can be overwritten by splunk in index-time with one of standard transforms (see transforms defined for the syslog sourcetype).

 

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-27-2022 09:40 AM

There are several things going on here.

EXTRACT directive crates a search-time extraction, so you can't use it to fetch data from the part of the event you already discarded during ingestion.

Anyway, host is an indexed field (and one of the important default fields) so you should not try to overwrite it with search-time extractions.

Typically, hostname can be overwritten by splunk in index-time with one of standard transforms (see transforms defined for the syslog sourcetype).

 

Reply
Solved! Jump to solution

bosseres
Contributor
‎12-27-2022 10:11 PM

Thank you for your responding! Not obligatory extract field host, it's acceptable to extract field "hostname" for example, but if I understood correctly technically it's not possible, because I trim this part.

"Typically, hostname can be overwritten by splunk in index-time with one of standard transforms (see transforms defined for the syslog sourcetype)."

Can you give link on materials to read about?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-27-2022 11:17 PM

There are plenty of materials about index-time extractions

For example - https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Configureindex-timefieldextraction

And about the example I told you, if you do

splunk btool props list syslog | grep TRANSFORMS

You'll see

TRANSFORMS = syslog-host
TRANSFORMS-syslog_auditing = linux_audit_enriched

Of those two transforms, the one that is of interest to us at this time is the "syslog-host one".

So let's see how it's defined

$ /opt/splunk/bin/splunk btool transforms list syslog-host
[syslog-host]
CAN_OPTIMIZE = True
CLEAN_KEYS = True
DEFAULT_VALUE = 
DEPTH_LIMIT = 1000
DEST_KEY = MetaData:Host
FORMAT = host::$1
KEEP_EMPTY_VALS = False
LOOKAHEAD = 4096
MATCH_LIMIT = 100000
MV_ADD = False
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
SOURCE_KEY = _raw
WRITE_META = False

 As you can see, it uses a REGEX to find a host part in the line ( the \[?(\w[\w\.\-]{2,})\]? sequence) to overwrite the host field (the DEST_KEY and FORMAT settings)

Reply
Solved! Jump to solution

bosseres
Contributor
‎12-27-2022 07:03 AM

add: I trim syslog-header for json auto-extraction, so i need it

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...