Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

transforms.conf not working

prashant_kumar_
Explorer
‎01-24-2022 05:04 AM

I have events like this comin from Heavy forwarder

"geo": {"continent": "NA", "country": "UK", "city": "LONDON"}, "hostname": "xxxx xxx xxxx"

I have to override the host metadata with the hostname field from the event.

my transforms.conf

[hostoverride]
SOURCE_KEY = hostname
REGEX = (.*)
DEST_KEY = MetaData:Host
FORMAT = host::$1

props.conf
[sourcetypename]
.
.
.
TRANSFORMS-hostoverride = hostoverride


In some of the events I am still getting the Heavy forwarder name. 
Thanks for the help in Advance

Labels (3)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

prashant_kumar_
Explorer
‎01-27-2022 07:06 AM

Regex was right, due to the size of data the hostname at the end of the events greater than 4096 character were missed and HF name was showing up.
changes I made in transforms.conf:
[hostoverride]
REGEX = hostname\"\:\s\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

LOOKAHEAD = 10000

and it worked!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

a_m_s
Explorer
‎01-24-2022 06:21 AM

@prashant_kumar_  use this transforms

[hostoverride]
REGEX = hostname\"\:\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

props.conf 

[override]
TRANSFORMS-ooo = hostoverride
INDEXED_EXTRACTIONS = json
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

my test file 

{"geo":"NA","city":"UK","country":"London","hostname":"lp5cd8213yt4"} 

a_m_s_0-1643034056054.png

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

prashant_kumar_
Explorer
‎01-27-2022 07:06 AM

Regex was right, due to the size of data the hostname at the end of the events greater than 4096 character were missed and HF name was showing up.
changes I made in transforms.conf:
[hostoverride]
REGEX = hostname\"\:\s\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

LOOKAHEAD = 10000

and it worked!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...