Splunk Search

Setting MetaData:Host over transforms.conf doesn't work

Thomas_Gresch
Explorer

I have icinga debug logs from a server called monitoring01 looking like:

[1284468200.195107] Checking service 'sys - Zeus ZXTM LB zeus.flipper processes' on host 'balance01'...

monitoring01 is a splunk forwarder. Now I want to rename the host bit on splunk from monitoring01 to whatever host is mentioned in the logfile, in the above example that would be 'balance01'.

On monitoring01 (splunk forwarder) I have the following files in place. They should convert the time and the hostname:

/opt/splunk/etc/apps/scripts/props.conf:

[script://./bin/icinga_converter.sh]
TIME_PREFIX = \[\d{10}
TIME_FORMAT = %+
MAX_TIMESTAMP_LOOKAHEAD = 11
SHOULD_LINEMERGE = false
TRANSFORMS-hostname = icinga_hostconverter

/opt/splunk/etc/apps/scripts/transforms.conf:

[icinga_hostconverter]
REGEX = ([^']*)'\.\.\.$
FORMAT = host::$1
DEST_KEY = MetaData:Host

The timestamp is taken out of the logline instead of arrival time at splunk correctly, but MetaData:Host remains to be set as monitoring01.

I can't find any hint, why the transformation won't work. Does anybody have an idea?

Tags (1)
0 Karma

tskimball
New Member

You have your source in props.conf as type script:: - Are you doing an internal pull using this script?

Try doing a plain forwarding of the raw file to the indexer, and specify source:: at the indexing props.conf instead.

0 Karma

Thomas_Gresch
Explorer

I've tried moving them into a local/ and a default/ directory within the app - no effect.

0 Karma

hulahoop
Splunk Employee
Splunk Employee

Thomas, are you using a regular forwarder or a lightweight forwarder? If you are using a LWF, then your host transform will not be honored. If this is the case, then you should put your host extraction configuration on the indexer.

Thomas_Gresch
Explorer

I've switched the forwarder from a LightWeight forwarder to a regular forwarder:

'splunk display app' shows

SplunkForwarder UNCONFIGURED ENABLED INVISIBLE

SplunkLightForwarder UNCONFIGURED DISABLED INVISIBLE

but still no effect.

0 Karma

Jeremiah
Motivator

Are the paths correct? transforms.conf and props.conf should go into either a default or local directory in your application (../etc/apps/scripts/default/transforms.conf).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...