Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure props and transforms with the proper regex to capture and assign hosts from a TCP data stream?

a212830
Champion
‎03-22-2015 08:47 PM

Hi,

I have a tcp data stream that has embedded hosts that I need to transform, and I'm hoping to get some regex help. Here's the stream:

2015-03-22 17:13:36 "myhost" some random and variable message text...

What would my transforms be set to? (The quotes are part of the message).

tia...

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎03-22-2015 11:48 PM

Be sure your syntax conforms with this example.
The transforms.conf stanza would look something like this:

[force_the_host]
REGEX = ^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s\"([^\"]+)\"
FORMAT = host::$1
DEST_KEY = MetaData:Host

**Note the capturing group, just after the double quote says "anything that is not a double quote".

in props.conf you would have:

TRANSFORMS-force_host=force_the_host
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...