Solved: Re: How to edit my props.conf and transforms.conf ...

lawndart · ‎06-04-2015

I'm trying to set my "host" field to a portion of each event (it's traffic logs aggregated from a number of places) and I THINK I have my conf files set up correctly, but it obstinately refuses to function.

My transforms.conf:

[agg_traffic-HostSet]
REGEX = ^[^,]+,[^,]+,[^,]+,[^,]+,\d+,[^,]+[^,\n]*,[^,]+,[^,]+,([^,]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

My props.conf:

[agg_traffic]
TRANSFORMS-agg_traffic = agg_traffic-HostSet

Example csv formatted event:

2015-06-01,20150601,127.0.0.1,10.10.0.1,800,17,DNS,site02,site02,<Event continues>

So that SHOULD set host=site02 (overriding the manual host definition from the input), except it doesn't. What have I screwed up? If I dump the regex into the rex command, it works exactly like I want it to.

stephanefotso · ‎06-04-2015

Ubdate your transform.conf like this, without FORMAT

My transforms.conf:

[agg_traffic-HostSet]
REGEX = ^[^,]+\,[^,]+\,[^,]+\,[^,]+\,\d+\,[^,]+(?<host>[^,])
DEST_KEY = MetaData:Host

SGF

View solution in original post

stephanefotso · ‎06-04-2015

Ubdate your transform.conf like this, without FORMAT

My transforms.conf:

[agg_traffic-HostSet]
REGEX = ^[^,]+\,[^,]+\,[^,]+\,[^,]+\,\d+\,[^,]+(?<host>[^,])
DEST_KEY = MetaData:Host

SGF

lawndart · ‎06-04-2015

Aaaand that did it. Thanks for the quick help! Why did that work when the FORMAT option didn't?

stephanefotso · ‎06-04-2015

The problem is the extraction. Here you have a simple REGEX with a name capturing group so you don't need to specify a FORMAT

SGF

lawndart · ‎06-04-2015

Oh, I put the files in both etc/system/local and also in apps/search/local (not at the same time), just in case that made any difference. It didn't.

How to edit my props.conf and transforms.conf to set the Host value to a portion of each event?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life