Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

host value to be picked from the source log file

sureshkumaar
Path Finder
3 weeks ago

in regex101.com, tested below REGEX it was working

Updated below props.conf and transforms.conf in deployment server and 2 heavy forwarders as well, but not working

props.conf
[nix:messages]
TRANSFORMS-set_host = set_custom_host

transforms.conf
[set_custom_host]
REGEX = /TUC-[^/]+/[^/\n]+/([^-\n]+(?:-[^-\n]+){0,3})-(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})-\d{2}-\d{2}-\d{4}\.log
FORMAT = host::$1
DEST_KEY = MetaData:Host

 

/TUC-RST50/OOB/TUC-RST50M01ZTDCGDG01-01U-01-55.66.77.888-20-03-2025.log

/TUC-SNK50/OOB/TUC-RST50N03ZTLEFCG02-20U-SRV02-44.55.66.777-21-03-2025.log

/TUC-TYB50/OOB/TUC-RST50S03ZTLEFDB0B-20U-SRV01-33.44.55.666-21-03-2025.log

/TUC-RST50/firewall/TUC-RST50M01ZTCOMDE0C-30U-EMSFW01-22.33.44.555-22-03-2025.log

/TUC-SNK50/OOB/TUC-RST50M01FTIFW-11.22.33.444-22-03-2025.log

 

BELOW output should get updated in the host field

TUC-RST50M01ZTDCGDG01-01U-01

TUC-RST50N03ZTLEFCG02-20U-SRV02

TUC-RST50S03ZTLEFDB0B-20U-SRV01

TUC-RST50M01ZTCOMDE0C-30U-EMSFW01

TUC-RST50M01FTIFW

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

I suppose you want to extract the host part from the filename in source field. You didn't specify it in your transform - it's matching the raw event.

You need

SOURCE_KEY = MetaData:Source

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

I suppose you want to extract the host part from the filename in source field. You didn't specify it in your transform - it's matching the raw event.

You need

SOURCE_KEY = MetaData:Source
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
3 weeks ago

Thanks @PickleRick  - it worked out

 

[set_custom_host]
REGEX = /TUC-[^/]+/[^/\n]+/([^-\n]+(?:-[^-\n]+){0,3})-(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})-\d{2}-\d{2}-\d{4}\.log
FORMAT = host::$1
DEST_KEY = MetaData:Host
SOURCE_KEY = MetaData:Source

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top