TRANSFORMS-pbs_set_host = pbs_set_host
BREAK_ONLY_BEFORE = (^name1|^name2|^name3|^name4|^name5|^name6|^name7|^name8|^name9)
NO_BINARY_CHECK = 1
pulldown_type = 1
DEST_KEY = MetaData:Host
REGEX = /^(.*)$/m
FORMAT = host::$1
The data originates from a script running on a search head. While indexing at a search head, it would successfully reset the hostname according to the regex. I've since started having the search head forward that data to indexers and copied the props and transforms to the indexers, and issues a /debug/refresh and also tried a | extract reload=T, but the transform is no longer applying and the host name is remaining the host running the script. how can I configure this for the regex to work properly again in a forwarded scenario?
The search head is a full instance of Splunk so it will perform parsing, and therefore your settings for transforming the events should still go on the search head even if you're forwarding them to the indexers. Once data arrives at the indexers it will already have been "cooked" by the search head, so the indexers won't do anything with it.
Did you restart the Splunk instances or just issue a /debug/refresh + extract reload=t? The latter ones don't apply to any index-time configurations so in order for any of this kind of settings to take effect you need to restart. It's a long shot, but still... 😉
The thing is I never removed or remarked out the props/transforms on the search head either. Essentially once I setup an outputs.conf to autoLB across indexers, all stopped working even though I copied both stanza's over to all indexers in the LB group