I'm very new to Splunk. I'm trying to use transforms.conf and props.conf to set the host value to something based on a regex. Every time I try it, the host value is always set to $1.
This is my transforms.conf
[setHost]
DEST_KEY = MetaData:Host
SOURCE_KEY = MetaData:Source
REGEX = webserver\d{0,2}-\d{0,3}
FORMAT = host::"$1"
This is my props.conf
[iis]
TRANSFORMS-setHost = setHost
The source that it's coming from looks like this /var/logs/webserver01-003/blah.log
How do I get this to work?
Thank you.
... View more