Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is wrong with my transforms.conf and props.conf settings? I'm getting the wrong data.

mmohiuddin1512
Explorer
‎10-23-2017 06:01 AM

Hi All:

I am unable to get the metadata host field in Splunk for the value of the database field called "HOSTNAME". This value is the endpoint value of the device. Instead I am getting value of the database host, which is sending the data. I have used the following regex and applied transforms and props setting on the indexers in order to override the metadata host field, but I am unable to do so. Please find below my props and transforms settings. I'll appreciate if someone could please guide me in the proper direction on getting this fixed.

transforms.conf
[bdna-host-hostname]
DEST_KEY = MetaData:Host
REGEX = HOSTNAME="([^\s.]+)"
FORMAT = host::$1

props.conf
[bdna_inputs]
TRANSFORMS-host_extraction_bdna = bdna-host-hostname

Sample data feed from database, ingested via db connect version 3.1.1:

2017-10-23 05:43:47.337, rn="1000000", HOSTNAME="eagnmnmbd265", SOFTWARE_ID="15855349", SOFTWARE_ID_TYPE="CAT_RELEASE_ID", CAT_SW_RELEASE_ID="15855349", CAT_SW_PRODUCT_ID="1377892", CAT_SW_VERSION_ID="15855345", CAT_SW_VERSION_GROUP_ID="9193634", CAT_MANUFACTURER_ID="594406", CPE_DEFINITION="Python 2.7.5", CVSS_SCORE_MAX="10", CVSS_SEVERITY_MAX="3", CVE_COUNT="13", CAT_CPE_URI_ID="61509642", CAT_TAXONOMY_ID="19892850", CAT_TAXONOMY_CATEGORY1="Software Development", CAT_TAXONOMY_CATEGORY2="Application Architecture and Design", CAT_MANUFACTURER="Python Software Foundation", CAT_SOFTWARE="Python", CAT_VERSION_GROUP="2.0", CAT_VERSION="2.7", DISC_VERSION="2.7.5", CAT_IS_LICENSABLE="no", CAT_IS_SUITE="no", GROUP_ID="-1", GA_DATE="2010-07-03 00:00:00.0", EOL="2020-12-31 00:00:00.0", OBSOLETE="2020-12-31 00:00:00.0", HIDDEN="0", ORIGINATE_FROM="1", NFAMILY="0", TECHNOPEDIA_LAST_MODIFIED="2017-08-15 00:00:00.0"

0 Karma
Reply

alemarzu
Motivator
‎10-24-2017 07:10 AM

Hello there @mmohiuddin1512
Try with this regex REGEX = HOSTNAME=\"([^\s]+)\". This should be enough to capture everything between the quote signs.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-23-2017 03:48 PM

Have you tried escaping the " symbols and the . with a backslash?
So:
REGEX = HOSTNAME=\"([^\s\.]+)\"

Otherwise the . matches everything...
However I've had issues with getting props.conf config to work nicely with DBConnect...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

mmohiuddin1512
Explorer
‎10-24-2017 06:11 AM

Thanks for your reply. I tried using your recommended regex in transforms.conf and applied it on the indexers, but still the metadata host field is not overridden. Any other alternatives.

Thanks,

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-25-2017 06:19 AM

Perhaps test by creating a text file with the expected content and using the oneshot command upload it as the correct sourcetype.
This will determine if the override is working as expected.

Also the props/transforms should be on the same heavy forwarder running the DB connect app...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...