Splunk Search

How to configure props and transforms with the proper regex to capture and assign hosts from a TCP data stream?



I have a tcp data stream that has embedded hosts that I need to transform, and I'm hoping to get some regex help. Here's the stream:

2015-03-22 17:13:36 "myhost" some random and variable message text...

What would my transforms be set to? (The quotes are part of the message).


0 Karma

Splunk Employee
Splunk Employee

Be sure your syntax conforms with this example.
The transforms.conf stanza would look something like this:

REGEX = ^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s\"([^\"]+)\"
FORMAT = host::$1
DEST_KEY = MetaData:Host

**Note the capturing group, just after the double quote says "anything that is not a double quote".

in props.conf you would have:

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Index This | What gets bigger the more you remove?

June 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...