Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure props and transforms with the proper regex to capture and assign hosts from a TCP data stream?

a212830
Champion
‎03-22-2015 08:47 PM

Hi,

I have a tcp data stream that has embedded hosts that I need to transform, and I'm hoping to get some regex help. Here's the stream:

2015-03-22 17:13:36 "myhost" some random and variable message text...

What would my transforms be set to? (The quotes are part of the message).

tia...

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎03-22-2015 11:48 PM

Be sure your syntax conforms with this example.
The transforms.conf stanza would look something like this:

[force_the_host]
REGEX = ^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s\"([^\"]+)\"
FORMAT = host::$1
DEST_KEY = MetaData:Host

**Note the capturing group, just after the double quote says "anything that is not a double quote".

in props.conf you would have:

TRANSFORMS-force_host=force_the_host
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...