Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert computer name to host name?

AKG
Path Finder
‎04-19-2016 08:51 PM

Hi

We have environment where

windows events are forwarded => windows Event Collector
Windows Event Collector => Splunk indexer

Spunk forwarder has been installed only on Collector server.

In Splunk host name for all windows events is windows event Collector.

How do we make hostname = computer-name

is there a way to do this?

Thank you in advance.
.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎04-20-2016 07:00 AM

This is what we use with the Windows Event Collection service. We put the WEC server hostname into a field called forwarder (so we know which collector sent the data) and then set the host field according to the ComputerName value in the Windows event.

In props.conf:

[(?:::){0}WinEventLog:...]
TRANSFORMS-FixWinEventLogHost = WinEventLog-SetForwarderName,WinEventLog-SetOriginatingHost

In transforms.conf:

[WinEventLog-SetForwarderName]
REGEX = ^host::(.*)$
SOURCE_KEY = MetaData:Host
FORMAT = forwarder::$1
WRITE_META = true

[WinEventLog-SetOriginatingHost]
REGEX = (?m)^ComputerName=([^\.\v]++)
FORMAT = host::$1
DEST_KEY = MetaData:Host

We run universal forwarders on the WEC servers and deploy this configuration on our indexers. If you run a heavy forwarder on your WEC server, you should deploy these changes there instead. If you don't want to capture the forwarder name in a field, just omit the WinEventLog-SetForwarderName portion.

View solution in original post

Reply
Solved! Jump to solution

AKG
Path Finder
‎04-20-2016 09:22 PM

Thank you All for your reply

All our windows logs are coming from windows collector so when we do the searching e.g. license usage by host all we get is collector's name and amount used.

for other searches we have to have two searches e.g. for windows computers with "computername = " and for nix with "host= "

we don't want users need to remember this type differences.

I will try the example above and come back to you,

Also Jeremiah (sorry for my lack of regex understanding)

Why do we use [(?:::){0}WinEventLog:...] ? what is the advantage over using tags like over [host::]?

Thank you

0 Karma
Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎04-20-2016 07:00 AM

This is what we use with the Windows Event Collection service. We put the WEC server hostname into a field called forwarder (so we know which collector sent the data) and then set the host field according to the ComputerName value in the Windows event.

In props.conf:

[(?:::){0}WinEventLog:...]
TRANSFORMS-FixWinEventLogHost = WinEventLog-SetForwarderName,WinEventLog-SetOriginatingHost

In transforms.conf:

[WinEventLog-SetForwarderName]
REGEX = ^host::(.*)$
SOURCE_KEY = MetaData:Host
FORMAT = forwarder::$1
WRITE_META = true

[WinEventLog-SetOriginatingHost]
REGEX = (?m)^ComputerName=([^\.\v]++)
FORMAT = host::$1
DEST_KEY = MetaData:Host

We run universal forwarders on the WEC servers and deploy this configuration on our indexers. If you run a heavy forwarder on your WEC server, you should deploy these changes there instead. If you don't want to capture the forwarder name in a field, just omit the WinEventLog-SetForwarderName portion.

Reply
Solved! Jump to solution

AKG
Path Finder
‎04-21-2016 06:09 PM

Thank you Jeremiah

This did exactly what we wanted to do.

Thank you

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-20-2016 04:47 AM

Option A) Search time extraction:

your search here
| eval host = Computer-Name

Option B) Iindex time:

props.conf

[host::<host>]
TRANSFORMS-renameHost = rename_host_from_Computer-Name

transforms.conf:

[rename_host_from_Computer-Name]
REGEX = [regex that captures your Computer-Name]
DEST_KEY = MetaData:Host
FORMAT = host::$1

More info here: http://docs.splunk.com/Documentation/Splunk/latest/Data/Overridedefaulthostassignments

Option C) Use a host tag:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Tagthehostfield

Hope that helps

Reply
Solved! Jump to solution

rusty009
Path Finder
‎04-20-2016 02:11 AM

Could you provide a bit more detail with examples of what your data looks like currently and how you would like it to look?

Reply
Solved! Jump to solution

PPape
Contributor
‎04-20-2016 12:50 AM

Can you provide an Event example?
Mostly you can do it with this setting in your inputs.conf:

host_regex = [regular expression]

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎04-20-2016 07:28 AM

Unfortunately, host_regex only applies to the source path not arbitrary log contents.

0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎04-20-2016 07:31 AM

Yes you are right. I think the Answer from @javiergn is the best one for this case

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top