- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to apply rex for a field on mutiple sources
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to apply rex for a field on mutiple sources
Hello
I am trying to change the data of the host field which has already been indexed. The host field has values in 3 different formats . What I am looking to do is to take the value of IP as it is and then for any FQDN's just extract the first part and ignore rest.
- IP Address : 10.1.1.1
- FQDN 1 = abc123.company.com
- FQDN 2 = abc123.ntwrk.company.com
So when I use this regex on the SH rex field=host "(?P<host>\d+\.\d+\.\d+\.\d+|([A-Za-z0-9]+))" it works without any issues. I have to apply this on /var/log/splunk/.../.../.../*.log a path which is being used as a source for multiple indexes.
So the props.conf I have as
[source::/var/log/splunk/.../.../.../*.log]
TRANSFORMS-replacehostname = replace_host
and transforms .conf as
[replace_host]
SOURCE_KEY=fields:host
REGEX = ^host::(\d+\.\d+\.\d+\.\d+|([A-Za-z0-9]+))
FORMAT = host::$1
DEST_KEY = Metadata:Host
I am sending this to SH and it looks like it doesn't make any change. Any help on why its not working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And also as an alternative you can place your rex command in the props.conf as this:
[sourcetype]
.....
EXTRACT-host = (?P<host>\d+\.\d+\.\d+\.\d+|([A-Za-z0-9]+))
no need of using transforms.conf here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
place it on the indexer as well... Since splunk refers transforms.conf during index time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this...
In props.conf:
REPORT-gethost = gethost
In transforms.conf:
[gethost]
SOURCE_KEY = _raw
REGEX = (?<extracted_newhost>(\d+\.\d+\.\d+\.\d+|([A-Za-z0-9]+))$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even this doesn't work, when I try it on [source::/var/log/splunk/.../.../.../*.log]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
searchhead
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where are you placing your props.conf and transforms.conf..
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
