Why do some logs come into indexer with empty host...

Adpafer · ‎05-29-2023

Hi,

There are some logs that come to Indexer with empty host field (host= ). These logs come to main index and I would like them to come to another index. I have source and sourcetype. I try to override index and route the logs to another index but it does not work. Here is my config. I would appreciate any help. Thx.

props:

[host:: ]
TRANSFORMS-myindex=override-index

transforms:

[override-index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = myindex

gcusello · ‎05-29-2023

Hi @Adpafer ,

probably the issue is that in the regex of the override-index standa you have to put a regex that reads the value to assign to the host field, using "REGEX = ." you use a string not acceptable for the host index.

Probably in the first part of your logs, there's the hostname definition, you have to use that regex to assign a correct value to the host, e.g. having an event like the following

2023-05-29 11:22:54 my_hostname 12345 ...

you have to use a regex like the following:

REGEX = ^\d\d\d\-\d\d-\d\d\s\d\d:\d\d:\d\d\s($1)
DEST_KEY = MetaData:Host
FORMAT = host::$1

you can use the "REGEX = ." expression only if you want to assign a fixed value to the host field.

Ciao.

Giuseppe

isoutamo · ‎05-29-2023

Hi
Any idea from where those are coming and why they didn't contain host value? Usually that should be there!
I try to figure out and fix this instead of trying send those to specific index with props and transforms.conf.
r. Ismo

Why do some logs come into indexer with empty host field?

index

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?