Knowledge Management

Problems Setting Host Values Based On Event Data

Path Finder

I have a v4.1.4 full forwarder setup to forward the Windows system and application event logs to a v4.1.4 indexer. At this point, events coming from both event logs have the hostname of the forwarder (sbkhpsim1) in the "host=" field. However, in the application event log only, I need to substitute the forwarder's hostname in the "host=" field to the name of a host within the event. Below are the inputs.conf, props.conf, and transforms.conf files from the forwarder. The REGEX to do the substitution works, so I don't think that's the issue. ANY help is appreciated.


host = sbkhpsim1

disabled = false

disabled = false
sourcetype = WindowsAppEventLog


TRANSFORMS-sim = GetEventOrigName


REGEX = ^Event\soriginator:\s(\w+\-?\w+)
DEST_KEY = MetaData:Host
FORMAT = host::$1

Event Text

05/15/12 07:30:01 AM
SourceName=HP Systems Insight Manager
Message=sbkesx14: (SNMP) Accelerator Board Status Change (3038): 
Event Name: (SNMP) Accelerator Board Status Change (3038)
Event originator: sbkesx14
Event Severity: Critical
Event received: 15-May-2012, 07:28:51

Event description: Accelerator Board Status Change.  This trap signifies that the agent has detected a change in the status of an array accelerator cache board.  The current status is represented by the variable cpqDaAccelStatus.  User Action: If the accelerator board status is permDisabled(5), you may need to replace the accelerator board.

Location: Slot 6
Model: sa-p400
Serial Number: PA2270J9SW1878
Total Memory: 524288
Status: tmpDisabled
Error Code: lowBattery
Tags (1)
0 Karma

Ultra Champion

I think the caret (^) in the regex is the culprit. If I remember correctly, the line doesn't start there, the text is indented. Also, you may wish to state that it's a multiline event. Try the following regex;


Hope this helps,


0 Karma

Ultra Champion

fixed typo. sorry. /k

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...