Splunk Search

How to edit my props.conf and transforms.conf to set the Host value to a portion of each event?

New Member

I'm trying to set my "host" field to a portion of each event (it's traffic logs aggregated from a number of places) and I THINK I have my conf files set up correctly, but it obstinately refuses to function.

My transforms.conf:

[agg_traffic-HostSet]
REGEX = ^[^,]+,[^,]+,[^,]+,[^,]+,\d+,[^,]+[^,\n]*,[^,]+,[^,]+,([^,]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

My props.conf:

[agg_traffic]
TRANSFORMS-agg_traffic = agg_traffic-HostSet

Example csv formatted event:

2015-06-01,20150601,127.0.0.1,10.10.0.1,800,17,DNS,site02,site02,<Event continues>

So that SHOULD set host=site02 (overriding the manual host definition from the input), except it doesn't. What have I screwed up? If I dump the regex into the rex command, it works exactly like I want it to.

0 Karma
1 Solution

Motivator

Ubdate your transform.conf like this, without FORMAT

My transforms.conf:

[agg_traffic-HostSet]
REGEX = ^[^,]+\,[^,]+\,[^,]+\,[^,]+\,\d+\,[^,]+(?<host>[^,])
DEST_KEY = MetaData:Host

View solution in original post

Motivator

Ubdate your transform.conf like this, without FORMAT

My transforms.conf:

[agg_traffic-HostSet]
REGEX = ^[^,]+\,[^,]+\,[^,]+\,[^,]+\,\d+\,[^,]+(?<host>[^,])
DEST_KEY = MetaData:Host

View solution in original post

New Member

Aaaand that did it. Thanks for the quick help! Why did that work when the FORMAT option didn't?

0 Karma

Motivator

The problem is the extraction. Here you have a simple REGEX with a name capturing group so you don't need to specify a FORMAT

0 Karma

New Member

Oh, I put the files in both etc/system/local and also in apps/search/local (not at the same time), just in case that made any difference. It didn't.

0 Karma