Splunk Search

'host' field being populated automatically when indexing a report

denissotoacc
Path Finder

I have a report that is getting events from an existing index, processing the data and indexing again to another custom Index I've created.

The original index have the "host" field populated with the indexer hostname. I need to replace this value with the value of another field. For that (and more) reason I've created a new index and a report, schedule and configure it to populate the new index. The report shows the information exactly as I need.

The problem is when the report is being indexed to the new index: The "host" field is being populated with the indexer as value (as in original index) and the value that I need to be in host field is in another field automatically created and named "orig_host".

How can I fix that? 

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

I'm not sure if I understood your question correctly, but basically you should do it on SPL like "eval host=orig_host", when you are populating the new index.  If you are populating the new index directly from UF then you must use props.conf and transforms.conf and there EVAL_INGEST = host:=orig_host.

You can look those from https://conf.splunk.com/files/2020/slides/PLA1154C.pdf

Can you share those SPL/conf files etc. how you are currently doing it?

r. Ismo

0 Karma

denissotoacc
Path Finder

Hi Soutamo. Thanks for your response. I am populating the new index with a report that extract and process data from another existing index.

My search/report looks like the following:

 

index=OldIndex
#SOME OTHER COMMANDS THAT WE NEED TO EXECUTE
| eval host = SomeOtherField
| fields + host, metric_label, metric_value
| collect index=NewIndex

 


The result event looks exactly as I need: Only 3 fields, and host field populated correctly. I've scheduled it to run every 5 minutes.
But then, in the "NewIndex" the data is being populated like "OldIndex": with the same fields and the "host" with the original value.

What is the problem?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

you should use host=<your host> etc with collect. See https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Collect

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...