I want to override the Host value at search time, not at index time because I need to override it just in the context of a specific app.
EXTRACT-field = (?P<host>my_regex)
It does not work. Why?
Is there another way to do this?
Does this work?
EXTRACT-field = (?P<otherField>my_regex)
EVAL-host = otherField
I had an another approach which is a bit hacky but seems to work so far:
Extracting the host with extract or report in a new field called host_temp (i used report and transforms)
Created an alias for host_temp to host
Thats it, don't ask me how stable that solution is.
Cheers
I was able to do it in SPL for a top event (replacing the hostname with the extracted user name). Perhaps you could make a macro for ease of implementation?
Here's the sample event:
20861 root 20 0 130284 1956 1192 R 11.8 0.0 0:00.03 top
Here's the query:
index=os sourcetype=top| rex field=_raw "^\s+\d+\s+(?P<host>\w+)"
I don't think this is possible. I was trying to do the same thing. Here are instructions for overriding the host value. Note, however, that the doc for transforms.conf indicates that the DEST_KEY
attribute is only valid for index-time operations. Also, the TRANSFORMS
attribute in props.conf is only valid at index-time as well.
Given this, I plan on re-importing my data.
make sure u search within the context of the app
I am damn sure.
The problem is the name "host". If I try to give another name to my field, the EXTRACT works, but I need to override "host".