Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help with host override

ilhwan
Path Finder
Friday

I'm trying to rewrite the host field on events that are coming into a HEC on a HF.  It's populating the hostname of the HF as host, and I'd really like to use what's in the event.

props.conf:

[source::ansible]
TRANSFORMS-hostoverride = ansible_override

transforms.conf:

[ansible_override]
DEST_KEY = MetaData:Host
REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\"
FORMAT = host::$1

Here's a sample raw event:

{"@timestamp": "2026-01-23T18:09:35.832Z", "message": "Request appeared to be a trusted upstream proxy but failed to provide a matching shared secret.", "host": "uiitaap31.xxx.com", "level": "WARNING", "logger_name": "awx.api.generics", "stack_info": null, "guid": "c1daaaf92a4f403bb5739802f5d33d93", "cluster_host_id": "uiitaap31.xxx.com", "tower_uuid": null}

This is what I'm getting:

ilhwan_0-1769192939198.png

Instead of replacing the host, it's appending.  What am I doing wrong?

 

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
yesterday

Aren't you by any chance using indexed extractions?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Friday

Hi @ilhwan ,

a backslash is mised befor the s:

\"cluster_host_id\"\:\s\"([a-zA-Z.-_]+)\"

Ciao.

Giuseppe

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Friday

Hi @ilhwan 

I noticed back in 2022 you posted similar to this around some sourcetypes and changing the host so I just wanted to check - is there any chance there could be a conflict between these props/transforms and previous ones deployed?

Are you able to check the other props.conf configs for this same sourcetype to ensure no other transforms are being applied? As far as I can tell the way you are doing it should overwrite the existing host value which makes me wonder if something else is appending it somewhere.

Are you also able to confirm that there are no other search-time extractions occurring? 

If you run the search in fast mode do you get the same host values (2 values per event) ?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

ilhwan
Path Finder
Friday

Okay.  I think I managed to cut out just the relevant stanzas from the big btool outputs

props.conf:

/opt/splunk/etc/apps/launcher/local/props.conf        [source::ansible]
/opt/splunk/etc/system/default/props.conf         ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf         ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf         AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf         BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf         BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf         CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf         DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf         DEPTH_LIMIT = 1000
/opt/splunk/etc/system/default/props.conf         DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
/opt/splunk/etc/system/default/props.conf         HEADER_MODE =
/opt/splunk/etc/system/default/props.conf         LB_CHUNK_BREAKER_TRUNCATE = 2000000
/opt/splunk/etc/system/default/props.conf         LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf         LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf         LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf         MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf         MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf         MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf         MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf         MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf         MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf         MAX_EXPECTED_EVENT_LINES = 7
/opt/splunk/etc/system/default/props.conf         MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf         MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf         MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf         MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf         SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf         SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf         TRANSFORMS =
/opt/splunk/etc/apps/dw-hf_settings/default/props.conf        TRANSFORMS-hf_name = hf_name
/opt/splunk/etc/apps/launcher/local/props.conf        TRANSFORMS-host_override = ansible_override
/opt/splunk/etc/system/default/props.conf         TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf         detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf         maxDist = 100
/opt/splunk/etc/system/default/props.conf         priority =
/opt/splunk/etc/system/default/props.conf         sourcetype =
/opt/splunk/etc/system/default/props.conf         termFrequencyWeightedDist = false
/opt/splunk/etc/system/default/props.conf         unarchive_cmd_start_mode = shell

transforms.conf:

/opt/splunk/etc/apps/launcher/local/transforms.conf        [ansible_override]
/opt/splunk/etc/system/default/transforms.conf         CAN_OPTIMIZE = True
/opt/splunk/etc/system/default/transforms.conf         CLEAN_KEYS = True
/opt/splunk/etc/system/default/transforms.conf         DEFAULT_VALUE =
/opt/splunk/etc/system/default/transforms.conf         DEPTH_LIMIT = 1000
/opt/splunk/etc/apps/launcher/local/transforms.conf        DEST_KEY = MetaData:Host
/opt/splunk/etc/apps/launcher/local/transforms.conf        FORMAT = host::$1
/opt/splunk/etc/system/default/transforms.conf         KEEP_EMPTY_VALS = False
/opt/splunk/etc/system/default/transforms.conf         LOOKAHEAD = 4096
/opt/splunk/etc/system/default/transforms.conf         MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/transforms.conf         MV_ADD = False
/opt/splunk/etc/apps/launcher/local/transforms.conf        REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\"
/opt/splunk/etc/system/default/transforms.conf         SOURCE_KEY = _raw
/opt/splunk/etc/system/default/transforms.conf         WRITE_META = False
0 Karma
Reply

ilhwan
Path Finder
Friday

Wow.  I'd forgotten about the question in 2022.  That was a completely different source that comes in via a TA, and I'm assuming it wouldn't interact.

Searching in fast mode still shows both hosts in the metadata host field.  I did a search for "ansible" in the field extractions screen and found nothing.  Is there an easy way to tell if I'm doing unintended search-time extractions?

This is what I see for props and transforms when I restrict it to the app:

[splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool props list --app=launcher --debug
/opt/splunk/etc/apps/launcher/local/props.conf [source::ansible]
/opt/splunk/etc/apps/launcher/local/props.conf TRANSFORMS-host_override = ansible_override
[splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool transforms list --app=launcher --debug
/opt/splunk/etc/apps/launcher/local/transforms.conf [ansible_override]
/opt/splunk/etc/apps/launcher/local/transforms.conf DEST_KEY = MetaData:Host
/opt/splunk/etc/apps/launcher/local/transforms.conf FORMAT = host::$1
/opt/splunk/etc/apps/launcher/local/transforms.conf REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\"
[splunk@UPSPLHF01 ~]$

If I do not restrict it to the launcher app, it returns too much for me to post.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...