Splunk Search

What is wrong with my transforms.conf and props.conf settings? I'm getting the wrong data.

Explorer

Hi All:

I am unable to get the metadata host field in Splunk for the value of the database field called "HOSTNAME". This value is the endpoint value of the device. Instead I am getting value of the database host, which is sending the data. I have used the following regex and applied transforms and props setting on the indexers in order to override the metadata host field, but I am unable to do so. Please find below my props and transforms settings. I'll appreciate if someone could please guide me in the proper direction on getting this fixed.

transforms.conf
[bdna-host-hostname]
DEST_KEY = MetaData:Host
REGEX = HOSTNAME="([^\s.]+)"
FORMAT = host::$1

props.conf
[bdna_inputs]
TRANSFORMS-host_extraction_bdna = bdna-host-hostname

Sample data feed from database, ingested via db connect version 3.1.1:

2017-10-23 05:43:47.337, rn="1000000", HOSTNAME="eagnmnmbd265", SOFTWARE_ID="15855349", SOFTWARE_ID_TYPE="CAT_RELEASE_ID", CAT_SW_RELEASE_ID="15855349", CAT_SW_PRODUCT_ID="1377892", CAT_SW_VERSION_ID="15855345", CAT_SW_VERSION_GROUP_ID="9193634", CAT_MANUFACTURER_ID="594406", CPE_DEFINITION="Python 2.7.5", CVSS_SCORE_MAX="10", CVSS_SEVERITY_MAX="3", CVE_COUNT="13", CAT_CPE_URI_ID="61509642", CAT_TAXONOMY_ID="19892850", CAT_TAXONOMY_CATEGORY1="Software Development", CAT_TAXONOMY_CATEGORY2="Application Architecture and Design", CAT_MANUFACTURER="Python Software Foundation", CAT_SOFTWARE="Python", CAT_VERSION_GROUP="2.0", CAT_VERSION="2.7", DISC_VERSION="2.7.5", CAT_IS_LICENSABLE="no", CAT_IS_SUITE="no", GROUP_ID="-1", GA_DATE="2010-07-03 00:00:00.0", EOL="2020-12-31 00:00:00.0", OBSOLETE="2020-12-31 00:00:00.0", HIDDEN="0", ORIGINATE_FROM="1", NFAMILY="0", TECHNOPEDIA_LAST_MODIFIED="2017-08-15 00:00:00.0"

0 Karma

Motivator

Hello there @mmohiuddin1512
Try with this regex REGEX = HOSTNAME=\"([^\s]+)\". This should be enough to capture everything between the quote signs.

0 Karma

SplunkTrust
SplunkTrust

Have you tried escaping the " symbols and the . with a backslash?
So:
REGEX = HOSTNAME=\"([^\s\.]+)\"

Otherwise the . matches everything...
However I've had issues with getting props.conf config to work nicely with DBConnect...

0 Karma

Explorer

Thanks for your reply. I tried using your recommended regex in transforms.conf and applied it on the indexers, but still the metadata host field is not overridden. Any other alternatives.

Thanks,

0 Karma

SplunkTrust
SplunkTrust

Perhaps test by creating a text file with the expected content and using the oneshot command upload it as the correct sourcetype.
This will determine if the override is working as expected.

Also the props/transforms should be on the same heavy forwarder running the DB connect app...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!