Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help with host override

ilhwan
Path Finder
2 weeks ago

I'm trying to rewrite the host field on events that are coming into a HEC on a HF.  It's populating the hostname of the HF as host, and I'd really like to use what's in the event.

props.conf:

[source::ansible]
TRANSFORMS-hostoverride = ansible_override

transforms.conf:

[ansible_override]
DEST_KEY = MetaData:Host
REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\"
FORMAT = host::$1

Here's a sample raw event:

{"@timestamp": "2026-01-23T18:09:35.832Z", "message": "Request appeared to be a trusted upstream proxy but failed to provide a matching shared secret.", "host": "uiitaap31.xxx.com", "level": "WARNING", "logger_name": "awx.api.generics", "stack_info": null, "guid": "c1daaaf92a4f403bb5739802f5d33d93", "cluster_host_id": "uiitaap31.xxx.com", "tower_uuid": null}

This is what I'm getting:

ilhwan_0-1769192939198.png

Instead of replacing the host, it's appending.  What am I doing wrong?

 

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Aren't you by any chance using indexed extractions?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @ilhwan ,

a backslash is mised befor the s:

\"cluster_host_id\"\:\s\"([a-zA-Z.-_]+)\"

Ciao.

Giuseppe

Reply

ilhwan
Path Finder
Friday

Okay, I finally got an event on that collector.

ilhwan_0-1769805434416.png

We're so close.  It looks like I can search by hostname, and I can probably leave it this way.  

0 Karma
Reply

ilhwan
Path Finder
a week ago

Good catch!  Thank you.  Unfortunately, I'll need a day or two to actually test it out because the events come in so infrequently.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
2 weeks ago

Hi @ilhwan 

I noticed back in 2022 you posted similar to this around some sourcetypes and changing the host so I just wanted to check - is there any chance there could be a conflict between these props/transforms and previous ones deployed?

Are you able to check the other props.conf configs for this same sourcetype to ensure no other transforms are being applied? As far as I can tell the way you are doing it should overwrite the existing host value which makes me wonder if something else is appending it somewhere.

Are you also able to confirm that there are no other search-time extractions occurring? 

If you run the search in fast mode do you get the same host values (2 values per event) ?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

ilhwan
Path Finder
2 weeks ago

Okay.  I think I managed to cut out just the relevant stanzas from the big btool outputs

props.conf:

/opt/splunk/etc/apps/launcher/local/props.conf        [source::ansible]
/opt/splunk/etc/system/default/props.conf         ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf         ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf         AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf         BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf         BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf         CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf         DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf         DEPTH_LIMIT = 1000
/opt/splunk/etc/system/default/props.conf         DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
/opt/splunk/etc/system/default/props.conf         HEADER_MODE =
/opt/splunk/etc/system/default/props.conf         LB_CHUNK_BREAKER_TRUNCATE = 2000000
/opt/splunk/etc/system/default/props.conf         LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf         LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf         LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf         MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf         MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf         MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf         MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf         MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf         MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf         MAX_EXPECTED_EVENT_LINES = 7
/opt/splunk/etc/system/default/props.conf         MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf         MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf         MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf         MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf         SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf         SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf         TRANSFORMS =
/opt/splunk/etc/apps/dw-hf_settings/default/props.conf        TRANSFORMS-hf_name = hf_name
/opt/splunk/etc/apps/launcher/local/props.conf        TRANSFORMS-host_override = ansible_override
/opt/splunk/etc/system/default/props.conf         TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf         detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf         maxDist = 100
/opt/splunk/etc/system/default/props.conf         priority =
/opt/splunk/etc/system/default/props.conf         sourcetype =
/opt/splunk/etc/system/default/props.conf         termFrequencyWeightedDist = false
/opt/splunk/etc/system/default/props.conf         unarchive_cmd_start_mode = shell

transforms.conf:

/opt/splunk/etc/apps/launcher/local/transforms.conf        [ansible_override]
/opt/splunk/etc/system/default/transforms.conf         CAN_OPTIMIZE = True
/opt/splunk/etc/system/default/transforms.conf         CLEAN_KEYS = True
/opt/splunk/etc/system/default/transforms.conf         DEFAULT_VALUE =
/opt/splunk/etc/system/default/transforms.conf         DEPTH_LIMIT = 1000
/opt/splunk/etc/apps/launcher/local/transforms.conf        DEST_KEY = MetaData:Host
/opt/splunk/etc/apps/launcher/local/transforms.conf        FORMAT = host::$1
/opt/splunk/etc/system/default/transforms.conf         KEEP_EMPTY_VALS = False
/opt/splunk/etc/system/default/transforms.conf         LOOKAHEAD = 4096
/opt/splunk/etc/system/default/transforms.conf         MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/transforms.conf         MV_ADD = False
/opt/splunk/etc/apps/launcher/local/transforms.conf        REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\"
/opt/splunk/etc/system/default/transforms.conf         SOURCE_KEY = _raw
/opt/splunk/etc/system/default/transforms.conf         WRITE_META = False
0 Karma
Reply

ilhwan
Path Finder
2 weeks ago

Wow.  I'd forgotten about the question in 2022.  That was a completely different source that comes in via a TA, and I'm assuming it wouldn't interact.

Searching in fast mode still shows both hosts in the metadata host field.  I did a search for "ansible" in the field extractions screen and found nothing.  Is there an easy way to tell if I'm doing unintended search-time extractions?

This is what I see for props and transforms when I restrict it to the app:

[splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool props list --app=launcher --debug
/opt/splunk/etc/apps/launcher/local/props.conf [source::ansible]
/opt/splunk/etc/apps/launcher/local/props.conf TRANSFORMS-host_override = ansible_override
[splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool transforms list --app=launcher --debug
/opt/splunk/etc/apps/launcher/local/transforms.conf [ansible_override]
/opt/splunk/etc/apps/launcher/local/transforms.conf DEST_KEY = MetaData:Host
/opt/splunk/etc/apps/launcher/local/transforms.conf FORMAT = host::$1
/opt/splunk/etc/apps/launcher/local/transforms.conf REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\"
[splunk@UPSPLHF01 ~]$

If I do not restrict it to the launcher app, it returns too much for me to post.

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...