- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create an interesting field by parsing host...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create an interesting field by parsing host name
my index has events from many hosts. The hosts names contain information about what environment the host is part of. I would like to extract this at index time and make it an interesting field.
my host names always follow this pattern: SRV-xxP01xxxxx
the environment in this host name is "P01", and environment is always the 7th, 8th and 9th character in the host name string.
How would I go about making the environment an interesting field for my non-power users?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution would be to apply a regex to extract the environment from the hostname. As a result the we i the props.conf you need to apply this to all host
props.conf
****************************************************************
[host::*]
TRANSFORMS-GLOBAL_environment_from_host = environment_from_host
In the transform.conf we need to specify source key for the regex as MetaData:Host , apply the regex and since this is a new field you have apply WRITE_META = true.
transform.conf
******************************************************************
[environment_from_host]
SOURCE_KEY = MetaData:Host
REGEX = "APPLY YOUR Regex HERE"
FORMAT = env::$1
WRITE_META = true
PLease be sure to apply your correct regex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you SURE that you need it at index-time? I will give you that answer but suspect that you would be better off by a search-time solution.
You you need this in #props.conf:
[(::){0}*]
TRANSFORMS-GLOBAL_environment_from_host = environment_from_host
Then you need this in #transforms.conf:
[environment_from_host]
SOURCE_KEY = MetaData:Host
REGEX = ^.{6}(?<environment>.{3})
If you can get by with a search-time solution, then change TRANSFORMS- to REPORT- in #props.conf and change SOURCE_KEY = MetaData:Host to SOURCE_KEY = host in #transforms.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution provided does not work. I did some digging and found this article, which was simalar
https://www.splunk.com/blog/2014/07/31/quick-tip-wildcard-sourcetypes-in-props-conf.html
maybe the issue is this bit: [(::){0}*]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This solution works. Remember you said index-time so you need to deploy it to your Indexer tiers, restart splunk on each Indexer, and then check against events that were indexed AFTER the restart. Did you do all of that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats what was done and the solution didnt work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
... | rex field=host "SRV-\S{2}(?<Environment>\S{3})"
hope it helps
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
