I have icinga debug logs from a server called monitoring01 looking like:
[1284468200.195107] Checking service 'sys - Zeus ZXTM LB zeus.flipper processes' on host 'balance01'...
monitoring01 is a splunk forwarder. Now I want to rename the host bit on splunk from monitoring01 to whatever host is mentioned in the logfile, in the above example that would be 'balance01'.
On monitoring01 (splunk forwarder) I have the following files in place. They should convert the time and the hostname:
/opt/splunk/etc/apps/scripts/props.conf:
[script://./bin/icinga_converter.sh]
TIME_PREFIX = \[\d{10}
TIME_FORMAT = %+
MAX_TIMESTAMP_LOOKAHEAD = 11
SHOULD_LINEMERGE = false
TRANSFORMS-hostname = icinga_hostconverter
/opt/splunk/etc/apps/scripts/transforms.conf:
[icinga_hostconverter]
REGEX = ([^']*)'\.\.\.$
FORMAT = host::$1
DEST_KEY = MetaData:Host
The timestamp is taken out of the logline instead of arrival time at splunk correctly, but MetaData:Host remains to be set as monitoring01.
I can't find any hint, why the transformation won't work. Does anybody have an idea?
... View more