About boknows

boknows · ‎03-01-2025

Can you explain why you would want to install this on the heavy forwarder? I am trying to install on my SH but cant get the configurations to connect. Would installing on the HF make a difference?

boknows · ‎02-26-2025

Changing the name made it work. I had the same class names in the transforms that had different regex. I appreciate the assistance.

boknows · ‎02-23-2025

I have 3 sources that I need to do this for and was able to have 2 come through putting the props in the TA that normalizes the data. The only difference in the 3 data sources is that the data source that I cant get to work is there is a space in the logs before its breaks. The regex that I have used for both other data sources is the same one that I I using just with a space prior to it. Not working though.

boknows · ‎02-22-2025

Hello, Syslog is being sent to a UF and then to the Indexers. No HF to do parsing. Is what I am trying to accomplish possible using search time field extractions?

boknows · ‎02-21-2025

I am pushing the configs from the cluster master to two indexers. No HF. The change in transforms still did not work. I am using the Splunk_TA_mcafee-wg . Is it possible that a configuration is taking precedence over my changes? I have tried making a local folder in the app and adding the props and transforms there. No luck.

boknows · ‎02-21-2025

Sorry. The first time I sent it it said it was reported as spam so wasnt sure it went through

boknows · ‎02-20-2025

Hello, I am trying to replace the host value that is the UF with event data as the value. ACME-001 PROD-MFS-003: status="200/0" srcip="1.0.0.1" user="a7bk28" dhost="http://test_web.net/contents/content2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Music" rep="24" mt="image/jpeg" mlwr="-" app="-" bytes="601/274/31302/00012" ua="Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0" lat="0/0/05/14" rule="rule14 bad" url="http://test_web.com/page5/e.jpg?ee=ff&gg=hh" ACME-001 PROD-POS-006: status="200/0" srcip="1.0.0.13" user="ItsEmeline" dhost="http://test_web.net/users/user2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Beauty" rep="21" mt="application/xml" mlwr="-" app="-" bytes="534/020/100/130" ua="Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1" lat="0/10/026/105" rule="rule12 bad" url="http://test_web.net/contents/content2.jpg?ee=ff&gg=hh" ACME-001 is what I want to be placed in as the value for the host field. These are teh props and transforms that I am using. props.conf [mcafee:wg:kv] TRANSFORMS-changehost = changehost SHOULD_LINEMERGE = false DATETIME_CONFIG = current transforms.conf [changehost] DEST_KEY = MetaData:Host REGEX = ^(?P<host>\S+) FORMAT = host::$1 I have also tried ^(\S+) for the regex I have 1 SH, 1 CM, 2 IDX and 1 UF I have put the props and transforms in app and pushed them to the indexers from the CM. They are on both indexes in /opt/splunk/etc/peer-apps I have a TA that has the same sourcetype that I am using in props in my app. Im wondering if I should add the props and transforms to a local folder in the TA instead of having them in a separate app. Any suggestions would be much appreciated.

boknows · ‎02-20-2025

Hello, I have logs coming in with the host showing as the UF. I want to replace the host value with some event data. Here is a sample of the data. ACME-001 HOST-003: status="407/0" srcip="1.0.0.2" user="VeroRivas" dhost="http://test_web.net/contents/content1.jpg?aa=bb&cc=dd" urlp="401" proto="HTTP/https" mtd="CONNECT" urlc="Movie" rep="2" mt="text/html" mlwr="-" app="-" bytes="001/0/0/3180" ua="Mozilla/5.0 (webOS/1.3; U; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/1.0 Safari/525.27.1 Desktop/1.0" lat="0/0/0/3" rule="rule1 ok" url="http://test_web.com/page3/c.jpg?ee=ff&gg=hh" ACME-001 ops-sys-002: status="407/0" srcip="1.0.0.11" user="roisiningle" dhost="http://test_web.net/contents/content1.jpg?aa=bb&cc=dd" urlp="401" proto="HTTP/https" mtd="CONNECT" urlc="Food" rep="-2" mt="text/html" mlwr="-" app="-" bytes="206/0/0/0040" ua="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1" lat="0/0/0/1" rule="rule1 ok" url="http://test_web.com/page5/e.jpg?ee=ff&gg=hh" ACME-001 BUSDEV-005: status="200/0" srcip="1.0.0.13" user="roonixr" dhost="http://test_web.net/users/user2.jpg?ee=ff&gg=hh" urlp="10" proto="HTTP/http" mtd="GET" urlc="Advertisement" rep="-3" mt="application/javascript" mlwr="-" app="-" bytes="142/020/032/023" ua="Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6" lat="0/05/30/53" rule="rule8 good" url="http://test_web.net/users/user2.jpg?ee=ff&gg=hh" ACME-001 is what I want to be used for the for the value of host. I am in a index cluster environment with 1 SH, CM, 2 IDX and 1 UF. I have pushed these props and transforms to the indexers with no success. The UF is still showing as the host value. Props [mcafee:wg:kv] TRANSFORMS-changehost = changehost SHOULD_LINEMERGE = false DATETIME_CONFIG = current #TIME_PREFIX = #TIME_FORMAT = SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) #MAX_TIMESTAMP_LOOKAHEAD = TRUNCATE = 999999 EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+) Transforms [changehost] DEST_KEY = MetaData:Host REGEX = ^(?P<host>\S+) FORMAT = host::$1 Any help would be much appreciated

Posts	8
Solutions	0
Karma Given	1
Karma Received	0
Member Since	‎02-20-2025

Online Status	Offline
Date Last Visited	‎03-01-2025 07:13 PM

Unable to override host value with event data

Host override with event data

Re: Active directory access for Splunk

Re: Host override with event data

Re: Host override with event data

Re: Host override with event data

Re: Host override with event data

Re: Unable to override host value with event data

Unable to override host value with event data

Host override with event data

Are you a member of the Splunk Community?