Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Setting MetaData:Host over transforms.conf doesn't work

Thomas_Gresch
Explorer
‎09-14-2010 12:57 PM

I have icinga debug logs from a server called monitoring01 looking like:

[1284468200.195107] Checking service 'sys - Zeus ZXTM LB zeus.flipper processes' on host 'balance01'...

monitoring01 is a splunk forwarder. Now I want to rename the host bit on splunk from monitoring01 to whatever host is mentioned in the logfile, in the above example that would be 'balance01'.

On monitoring01 (splunk forwarder) I have the following files in place. They should convert the time and the hostname:

/opt/splunk/etc/apps/scripts/props.conf:

[script://./bin/icinga_converter.sh]
TIME_PREFIX = \[\d{10}
TIME_FORMAT = %+
MAX_TIMESTAMP_LOOKAHEAD = 11
SHOULD_LINEMERGE = false
TRANSFORMS-hostname = icinga_hostconverter

/opt/splunk/etc/apps/scripts/transforms.conf:

[icinga_hostconverter]
REGEX = ([^']*)'\.\.\.$
FORMAT = host::$1
DEST_KEY = MetaData:Host

The timestamp is taken out of the logline instead of arrival time at splunk correctly, but MetaData:Host remains to be set as monitoring01.

I can't find any hint, why the transformation won't work. Does anybody have an idea?

Tags (1)
0 Karma
Reply

tskimball
New Member
‎03-02-2011 09:50 AM

You have your source in props.conf as type script:: - Are you doing an internal pull using this script?

Try doing a plain forwarding of the raw file to the indexer, and specify source:: at the indexing props.conf instead.

0 Karma
Reply

Thomas_Gresch
Explorer
‎09-19-2010 01:05 PM

I've tried moving them into a local/ and a default/ directory within the app - no effect.

0 Karma
Reply

hulahoop
Splunk Employee
Splunk Employee
‎09-14-2010 06:57 PM

Thomas, are you using a regular forwarder or a lightweight forwarder? If you are using a LWF, then your host transform will not be honored. If this is the case, then you should put your host extraction configuration on the indexer.

Reply

Thomas_Gresch
Explorer
‎09-19-2010 01:21 PM

I've switched the forwarder from a LightWeight forwarder to a regular forwarder:

'splunk display app' shows

SplunkForwarder UNCONFIGURED ENABLED INVISIBLE

SplunkLightForwarder UNCONFIGURED DISABLED INVISIBLE

but still no effect.

0 Karma
Reply

Jeremiah
Motivator
‎09-14-2010 06:00 PM

Are the paths correct? transforms.conf and props.conf should go into either a default or local directory in your application (../etc/apps/scripts/default/transforms.conf).

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...