I have logs coming in from /var/log/messages and /var/log/maillog which have the hostname not the FQDN. There is just too much change control and politics to get them fixed at the source. Looking for a way at index time to just make the correction.
Server names are well formed 12 characters ending in three numbers.
So I need to create a props.conf/transforms.conf on my indexer, just not sure what it will look like.
If host = .*\n\n\n then append mycompany.com
Any ideas what that might look like?
This should match any host that does not end with .com, and append mycompany.com onto the current value
[yourstanzaname] SOURCE_KEY = MetaData:Host DEST_KEY = MetaData:Host REGEX = (.*$)(?<!\.com$) FORMAT = host::$1mycompany.com
REGEX = .*$(?<!\.com$) FORMAT = host::$0mycompany.com
Updated, because you meant THAT Host.
Just kidding, I just forgot we were talking about an ultra special snowflake of a MetaData field.
Updated one more time, to change
$1 because contextually we're in a
.conf file and not a
Doens't seem to be flying. Tried this config as well as swapping host for MetaData:Host in your DEST_Key. I feel like I am missing something key here.
#props.conf [syslog] TRANSFORMS-FIELDS = syslog_fix_fqdn #transforms.conf [syslog_fix_fqdn] SOURCE_KEY = host DEST_KEY = host REGEX = .*$(?<!\.com$) FORMAT = \0ilovethecompany.com
Thanks for replying!
I tried the new code and I ended up with my hostnames getting changed to
Not following how that capture should work there. How does \1 and \0 refer back to the above regex?
Hey @daniel333 if they solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!