Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to override host value with event data

boknows
Explorer
‎02-20-2025 05:21 PM

Hello,

 

I am trying to replace the host value that is the UF with event data as the value. 

 ACME-001 PROD-MFS-003: status="200/0" srcip="1.0.0.1" user="a7bk28" dhost="http://test_web.net/contents/content2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Music" rep="24" mt="image/jpeg" mlwr="-" app="-" bytes="601/274/31302/00012" ua="Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0" lat="0/0/05/14" rule="rule14 bad" url="http://test_web.com/page5/e.jpg?ee=ff&gg=hh"
 ACME-001 PROD-POS-006: status="200/0" srcip="1.0.0.13" user="ItsEmeline" dhost="http://test_web.net/users/user2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Beauty" rep="21" mt="application/xml" mlwr="-" app="-" bytes="534/020/100/130" ua="Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1" lat="0/10/026/105" rule="rule12 bad" url="http://test_web.net/contents/content2.jpg?ee=ff&gg=hh"

ACME-001 is what I want to be placed in as the value for the host field. These are teh props and transforms that I am using. 

props.conf

[mcafee:wg:kv]
TRANSFORMS-changehost = changehost
SHOULD_LINEMERGE = false
DATETIME_CONFIG = current

transforms.conf

[changehost]
DEST_KEY = MetaData:Host
REGEX = ^(?P<host>\S+)
FORMAT = host::$1

I have also tried 

^(\S+) for the regex

I have 1 SH, 1 CM, 2 IDX and 1 UF

I have put the props and transforms in app and pushed them to the indexers from the CM. They are on both indexes in /opt/splunk/etc/peer-apps

I have a TA that has the same sourcetype that I am using in props in my app. Im wondering if I should add the props and transforms to a local folder in the TA instead of having them in a separate app. 

Any suggestions would be much appreciated. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-21-2025 08:31 AM

Hi @boknows ,

please don't duplicate questions!

See my answer to your other question:

https://community.splunk.com/t5/Splunk-Search/Host-override-with-event-data/m-p/712235#M240309

Ciao.

Giuseppe

0 Karma
Reply

boknows
Explorer
‎02-21-2025 08:37 AM

Sorry. The first time I sent it it said it was reported as spam so wasnt sure it went through

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...