Splunk Search

Host override at search time

giorgio_adami_m
Path Finder

I want to override the Host value at search time, not at index time because I need to override it just in the context of a specific app.

EXTRACT-field = (?P<host>my_regex)

It does not work. Why?
Is there another way to do this?

Tags (2)

jkat54
SplunkTrust
SplunkTrust

Does this work?

EXTRACT-field = (?P<otherField>my_regex)
EVAL-host = otherField
0 Karma

claudio_manig
Communicator

I had an another approach which is a bit hacky but seems to work so far:
Extracting the host with extract or report in a new field called host_temp (i used report and transforms)
Created an alias for host_temp to host

Thats it, don't ask me how stable that solution is.
Cheers

mkemmerer
Explorer

I was able to do it in SPL for a top event (replacing the hostname with the extracted user name). Perhaps you could make a macro for ease of implementation?

Here's the sample event:

20861  root              20     0  130284    1956    1192   R    11.8     0.0       0:00.03  top

Here's the query:

index=os sourcetype=top| rex field=_raw "^\s+\d+\s+(?P<host>\w+)"
0 Karma

bnorthway
Path Finder

I don't think this is possible. I was trying to do the same thing. Here are instructions for overriding the host value. Note, however, that the doc for transforms.conf indicates that the DEST_KEY attribute is only valid for index-time operations. Also, the TRANSFORMS attribute in props.conf is only valid at index-time as well.

Given this, I plan on re-importing my data.

0 Karma

kheli
Path Finder

make sure u search within the context of the app

0 Karma

giorgio_adami_m
Path Finder

I am damn sure.
The problem is the name "host". If I try to give another name to my field, the EXTRACT works, but I need to override "host".

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...