Re: help with host override

ilhwan

I'm trying to rewrite the host field on events that are coming into a HEC on a HF. It's populating the hostname of the HF as host, and I'd really like to use what's in the event.

props.conf:

[source::ansible]
TRANSFORMS-hostoverride = ansible_override

transforms.conf:

[ansible_override]
DEST_KEY = MetaData:Host
REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\"
FORMAT = host::$1

Here's a sample raw event:

{"@timestamp": "2026-01-23T18:09:35.832Z", "message": "Request appeared to be a trusted upstream proxy but failed to provide a matching shared secret.", "host": "uiitaap31.xxx.com", "level": "WARNING", "logger_name": "awx.api.generics", "stack_info": null, "guid": "c1daaaf92a4f403bb5739802f5d33d93", "cluster_host_id": "uiitaap31.xxx.com", "tower_uuid": null}

This is what I'm getting:

Instead of replacing the host, it's appending. What am I doing wrong?

PickleRick

Aren't you by any chance using indexed extractions?

gcusello

Hi @ilhwan ,

a backslash is mised befor the s:

\"cluster_host_id\"\:\s\"([a-zA-Z.-_]+)\"

Ciao.

Giuseppe

livehybrid

Hi @ilhwan

I noticed back in 2022 you posted similar to this around some sourcetypes and changing the host so I just wanted to check - is there any chance there could be a conflict between these props/transforms and previous ones deployed?

Are you able to check the other props.conf configs for this same sourcetype to ensure no other transforms are being applied? As far as I can tell the way you are doing it should overwrite the existing host value which makes me wonder if something else is appending it somewhere.

Are you also able to confirm that there are no other search-time extractions occurring?

If you run the search in fast mode do you get the same host values (2 values per event) ?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

ilhwan

Okay. I think I managed to cut out just the relevant stanzas from the big btool outputs

props.conf:

/opt/splunk/etc/apps/launcher/local/props.conf        [source::ansible]
/opt/splunk/etc/system/default/props.conf         ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf         ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf         AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf         BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf         BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf         CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf         DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf         DEPTH_LIMIT = 1000
/opt/splunk/etc/system/default/props.conf         DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
/opt/splunk/etc/system/default/props.conf         HEADER_MODE =
/opt/splunk/etc/system/default/props.conf         LB_CHUNK_BREAKER_TRUNCATE = 2000000
/opt/splunk/etc/system/default/props.conf         LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf         LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf         LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf         MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf         MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf         MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf         MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf         MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf         MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf         MAX_EXPECTED_EVENT_LINES = 7
/opt/splunk/etc/system/default/props.conf         MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf         MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf         MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf         MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf         SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf         SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf         SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf         TRANSFORMS =
/opt/splunk/etc/apps/dw-hf_settings/default/props.conf        TRANSFORMS-hf_name = hf_name
/opt/splunk/etc/apps/launcher/local/props.conf        TRANSFORMS-host_override = ansible_override
/opt/splunk/etc/system/default/props.conf         TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf         detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf         maxDist = 100
/opt/splunk/etc/system/default/props.conf         priority =
/opt/splunk/etc/system/default/props.conf         sourcetype =
/opt/splunk/etc/system/default/props.conf         termFrequencyWeightedDist = false
/opt/splunk/etc/system/default/props.conf         unarchive_cmd_start_mode = shell

transforms.conf:

/opt/splunk/etc/apps/launcher/local/transforms.conf        [ansible_override]
/opt/splunk/etc/system/default/transforms.conf         CAN_OPTIMIZE = True
/opt/splunk/etc/system/default/transforms.conf         CLEAN_KEYS = True
/opt/splunk/etc/system/default/transforms.conf         DEFAULT_VALUE =
/opt/splunk/etc/system/default/transforms.conf         DEPTH_LIMIT = 1000
/opt/splunk/etc/apps/launcher/local/transforms.conf        DEST_KEY = MetaData:Host
/opt/splunk/etc/apps/launcher/local/transforms.conf        FORMAT = host::$1
/opt/splunk/etc/system/default/transforms.conf         KEEP_EMPTY_VALS = False
/opt/splunk/etc/system/default/transforms.conf         LOOKAHEAD = 4096
/opt/splunk/etc/system/default/transforms.conf         MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/transforms.conf         MV_ADD = False
/opt/splunk/etc/apps/launcher/local/transforms.conf        REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\"
/opt/splunk/etc/system/default/transforms.conf         SOURCE_KEY = _raw
/opt/splunk/etc/system/default/transforms.conf         WRITE_META = False

ilhwan

Wow. I'd forgotten about the question in 2022. That was a completely different source that comes in via a TA, and I'm assuming it wouldn't interact.

Searching in fast mode still shows both hosts in the metadata host field. I did a search for "ansible" in the field extractions screen and found nothing. Is there an easy way to tell if I'm doing unintended search-time extractions?

This is what I see for props and transforms when I restrict it to the app:

[splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool props list --app=launcher --debug
/opt/splunk/etc/apps/launcher/local/props.conf [source::ansible]
/opt/splunk/etc/apps/launcher/local/props.conf TRANSFORMS-host_override = ansible_override
[splunk@UPSPLHF01 ~]$ /opt/splunk/bin/splunk btool transforms list --app=launcher --debug
/opt/splunk/etc/apps/launcher/local/transforms.conf [ansible_override]
/opt/splunk/etc/apps/launcher/local/transforms.conf DEST_KEY = MetaData:Host
/opt/splunk/etc/apps/launcher/local/transforms.conf FORMAT = host::$1
/opt/splunk/etc/apps/launcher/local/transforms.conf REGEX = \"cluster_host_id\"\:s\"([a-zA-Z.-_]+)\"
[splunk@UPSPLHF01 ~]$

If I do not restrict it to the launcher app, it returns too much for me to post.

help with host override

host

props.conf

transforms.conf

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation