getting vice-versa hostnames from events

schose · ‎05-07-2015

Hi all,

I'm getting in events looking like this from host srv01.dev.web.env

env_web_dev_srv01.cpu-0.cpu-idle 97.380109 1431000659
env_web_dev_srv01.cpu-3.cpu-idle 99.026781 1431000659
env_web_dev_srv01.cpu-2.cpu-idle 98.903448 1431000659
env_web_dev_srv01.cpu-1.cpu-idle 98.456780 1431000659

as you can see the hostname is written vice-versa. Now i'm using props and transforms to get the hostname from the event:

props.conf:

[collectd]
TIME_PREFIX = ^.+\..+\..+\s.+\s
TRANSFORMS-mask= mask-collectd
SHOULD_LINEMERGE=false

transforms.conf:

[mask-collectd]
REGEX = ^([^_]+)_([^_]+)_([^_]+)_([^_.]+)\..+\..+\s.+\s.+
DEST_KEY = MetaData:Host
FORMAT =  host::$4.$3.$2.$1

my issue is that now the "." in a hostname have to match 3: so srv01.dev.web.env works find but srv01.subdomain.dev.web.env is not working.

Is there a smarter way to reverse the hostname and replace "_" with "." at index time?

Regards,

Andreas

richgalloway · ‎05-07-2015

Make the fourth level optional with a regex like ^(?:([^_]+)_)?([^_]+)_([^_]+)_([^_]+)_([^_.]+)\.

---
If this reply helps you, Karma would be appreciated.

getting vice-versa hostnames from events

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

getting vice-versa hostnames from events

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability