Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure props and transforms with the proper regex to capture and assign hosts from a TCP data stream?

a212830
Champion
‎03-22-2015 08:47 PM

Hi,

I have a tcp data stream that has embedded hosts that I need to transform, and I'm hoping to get some regex help. Here's the stream:

2015-03-22 17:13:36 "myhost" some random and variable message text...

What would my transforms be set to? (The quotes are part of the message).

tia...

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎03-22-2015 11:48 PM

Be sure your syntax conforms with this example.
The transforms.conf stanza would look something like this:

[force_the_host]
REGEX = ^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s\"([^\"]+)\"
FORMAT = host::$1
DEST_KEY = MetaData:Host

**Note the capturing group, just after the double quote says "anything that is not a double quote".

in props.conf you would have:

TRANSFORMS-force_host=force_the_host
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top