Getting Data In

Unable to rewrite host meta key at ingestion

brent_weaver
Builder

I have a reg ex tested and working that will extract the host out of these events. My transforms is as follows:

 

 

 

 

 

[hostextraction]
REGEX = ^.*\d+\s(.*)ASM:.*
FORMAT = host::$1
DEST_KEY = MetaData:Host

 

 

 

 

 

props:

 

 

 

 

 

[myst]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_PREFIX = ^.{1,16}\b(?:\d{1,3}\.){3}\d{1,3}\b\s
TRANSFORMS-whateva = hostextraction

 

 

 

 

 

 This has no affect on the host metadata key. Any help is much appreciated. I am taking this directly from Splunk Documentation.  I am getting this message in _internal

ERROR regexExtractionProcessor - REGEX field must be specified tranform_name=hostextraction
 
Any help is much appreciated!
Labels (1)
0 Karma

brent_weaver
Builder
Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 DC1ASM1.dc1.greendotcorp.com ASM:"MONEYPAK_WEBAPP","MONEYPAK_CLASS","Blocked","Attack signature detected","4523972057501654520","207.154.35.240","GET /Content/Images/img_logo01_module02.gif HTTP/1.1\r\nHost: www.moneypak.com\r\nUser-Agent: sam375/1.0[TF268435460801870024000000015076264944] UP.Browser/6.2.3.8 (GUI) MMP/2.0 Profile/MIDP-2.0 Configuration/CLDC-1.1\r\nAccept-Charset: iso-8859-1\r\nAccept-Language: en; q=0.9, es-ve; q=0.9\r\nx-wap-profile: ""http://uaprof1.caohosting.com/UAProfSamsung_R375_TF_V01.xml""\r\nReferer: ../../UseMoneyPak.aspx\r\nCookie: ASP.NET_SessionId=fygzml55xi4i5j45sqnduhy3; __RequestVerificationToken_Lw__=a3NVWCZIIdAJq9jOKEbhic39Vp03TnfuaVRd0mv7yBMYi88KbWiEO1uTpjKuQyybqfSC6JzuMPAA/EPxUpMeeI5hAxDRBepfwT7oeGSTy4xDp+vX7lqDSnJ4C2FI5J6yNRoasA==; TS9d98d7=9f0b4c041f7d935b1147a57259d88de374a21272ed77bfab505b5c7636af3f5e4cdb125288da4b2db1281d8f\r\nAccept: application/octet-stream, application/vnd.oma.drm.content, application/vnd.oma.drm.message, application/vnd.oma.drm.rights+wbxml, application/vnd.oma.drm.rights+xml, a
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Can you provide any sample data where you are trying extract host?
0 Karma

brent_weaver
Builder

See above as I just posted a sample of data.

0 Karma
Get Updates on the Splunk Community!

Events has wrong timestamp, How to correct time config?

Hello Splunkers, I've an issue with my event time configuration. It has incorrect timestamp. Below are my ...

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

What is the use drop_dm_object_name() clause in a query with tstats.?

I am trying to find out what purpose drop_dm_object_name() serves.