Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

transforms.conf not working

prashant_kumar_
Explorer
‎01-24-2022 05:04 AM

I have events like this comin from Heavy forwarder

"geo": {"continent": "NA", "country": "UK", "city": "LONDON"}, "hostname": "xxxx xxx xxxx"

I have to override the host metadata with the hostname field from the event.

my transforms.conf

[hostoverride]
SOURCE_KEY = hostname
REGEX = (.*)
DEST_KEY = MetaData:Host
FORMAT = host::$1

props.conf
[sourcetypename]
.
.
.
TRANSFORMS-hostoverride = hostoverride


In some of the events I am still getting the Heavy forwarder name. 
Thanks for the help in Advance

Labels (3)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

prashant_kumar_
Explorer
‎01-27-2022 07:06 AM

Regex was right, due to the size of data the hostname at the end of the events greater than 4096 character were missed and HF name was showing up.
changes I made in transforms.conf:
[hostoverride]
REGEX = hostname\"\:\s\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

LOOKAHEAD = 10000

and it worked!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

a_m_s
Explorer
‎01-24-2022 06:21 AM

@prashant_kumar_  use this transforms

[hostoverride]
REGEX = hostname\"\:\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

props.conf 

[override]
TRANSFORMS-ooo = hostoverride
INDEXED_EXTRACTIONS = json
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

my test file 

{"geo":"NA","city":"UK","country":"London","hostname":"lp5cd8213yt4"} 

a_m_s_0-1643034056054.png

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

prashant_kumar_
Explorer
‎01-27-2022 07:06 AM

Regex was right, due to the size of data the hostname at the end of the events greater than 4096 character were missed and HF name was showing up.
changes I made in transforms.conf:
[hostoverride]
REGEX = hostname\"\:\s\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

LOOKAHEAD = 10000

and it worked!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...