Solved: transforms.conf not working

prashant_kumar_ · ‎01-24-2022

I have events like this comin from Heavy forwarder

"geo": {"continent": "NA", "country": "UK", "city": "LONDON"}, "hostname": "xxxx xxx xxxx"

I have to override the host metadata with the hostname field from the event.

my transforms.conf

[hostoverride]
SOURCE_KEY = hostname
REGEX = (.*)
DEST_KEY = MetaData:Host
FORMAT = host::$1

props.conf
[sourcetypename]
.
.
.
TRANSFORMS-hostoverride = hostoverride

In some of the events I am still getting the Heavy forwarder name.
Thanks for the help in Advance

prashant_kumar_ · ‎01-27-2022

Regex was right, due to the size of data the hostname at the end of the events greater than 4096 character were missed and HF name was showing up.
changes I made in transforms.conf:
[hostoverride]
REGEX = hostname\"\:\s\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

LOOKAHEAD = 10000

and it worked!!!

View solution in original post

a_m_s · ‎01-24-2022

@prashant_kumar_ use this transforms

[hostoverride]
REGEX = hostname\"\:\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

props.conf

[override]
TRANSFORMS-ooo = hostoverride
INDEXED_EXTRACTIONS = json
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true

my test file

{"geo":"NA","city":"UK","country":"London","hostname":"lp5cd8213yt4"}

prashant_kumar_ · ‎01-27-2022

Regex was right, due to the size of data the hostname at the end of the events greater than 4096 character were missed and HF name was showing up.
changes I made in transforms.conf:
[hostoverride]
REGEX = hostname\"\:\s\"(.*)\"
DEST_KEY = MetaData:Host
FORMAT = host::$1

LOOKAHEAD = 10000

and it worked!!!

transforms.conf not working

heavy forwarder

props.conf

transforms.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?