I have a file with data similar to the following:
2015:09:01:15:00:00.005 sl200services007 3:INFO SERVER NOFMT 4327963992431091696812 Saving to client_request_map table
I have a custom sourcetype called services:client, and I have set up an index-time extracttion for the host field.
inputs.conf
[monitor://C:\temp\sample_logs2.txt]
disabled = false
index = test
sourcetype = services:client
props.conf
[services:client]
MAX_TIMESTAMP_LOOKAHEAD = 30
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description = trans services
pulldown_type = true
TRANSFORMS-host = hostoverride2
transforms.conf
[hostoverride2]
DEST_KEY = MetaData:Host
REGEX = ^[^\s]+\s([^\s]+)
FORMAT = host::$1
For testing, I stop splunk, append data to the monitored file, and I start splunk. Splunk is indexing the data fine, but the host field isn't set based on the regex result. I tested the regex on https://regex101.com/, and I followed the override syntax from http://blogs.splunk.com/2008/04/16/overriding-default-syslog-host-extraction/. Any thoughts on why this isn't working to set the hostname?