Splunk Search

How to configure props and transforms with the proper regex to capture and assign hosts from a TCP data stream?



I have a tcp data stream that has embedded hosts that I need to transform, and I'm hoping to get some regex help. Here's the stream:

2015-03-22 17:13:36 "myhost" some random and variable message text...

What would my transforms be set to? (The quotes are part of the message).


0 Karma

Splunk Employee
Splunk Employee

Be sure your syntax conforms with this example.
The transforms.conf stanza would look something like this:

REGEX = ^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s\"([^\"]+)\"
FORMAT = host::$1
DEST_KEY = MetaData:Host

**Note the capturing group, just after the double quote says "anything that is not a double quote".

in props.conf you would have:

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma