Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

transforms.conf not working

prashant_kumar_
Explorer
‎01-24-2022 05:04 AM

I have events like this comin from Heavy forwarder

"geo": {"continent": "NA", "country": "UK", "city": "LONDON"}, "hostname": "xxxx xxx xxxx"

I have to override the host metadata with the hostname field from the event.

my transforms.conf

[hostoverride]
SOURCE_KEY = hostname
REGEX = (.*)
DEST_KEY = MetaData:Host
FORMAT = host::$1

props.conf
[sourcetypename]
.
.
.
TRANSFORMS-hostoverride = hostoverride


In some of the events I am still getting the Heavy forwarder name. 
Thanks for the help in Advance

Labels (3)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

prashant_kumar_
Explorer
‎01-27-2022 07:06 AM

Regex was right, due to the size of data the hostname at the end of the events greater than 4096 character were missed and HF name was showing up.
changes I made in transforms.conf:
[hostoverride]
REGEX = hostname\"\:\s\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

LOOKAHEAD = 10000

and it worked!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

a_m_s
Explorer
‎01-24-2022 06:21 AM

@prashant_kumar_  use this transforms

[hostoverride]
REGEX = hostname\"\:\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

props.conf 

[override]
TRANSFORMS-ooo = hostoverride
INDEXED_EXTRACTIONS = json
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

my test file 

{"geo":"NA","city":"UK","country":"London","hostname":"lp5cd8213yt4"} 

a_m_s_0-1643034056054.png

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

prashant_kumar_
Explorer
‎01-27-2022 07:06 AM

Regex was right, due to the size of data the hostname at the end of the events greater than 4096 character were missed and HF name was showing up.
changes I made in transforms.conf:
[hostoverride]
REGEX = hostname\"\:\s\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

LOOKAHEAD = 10000

and it worked!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...