Hi All:
I am unable to get the metadata host field in Splunk for the value of the database field called "HOSTNAME". This value is the endpoint value of the device. Instead I am getting value of the database host, which is sending the data. I have used the following regex and applied transforms and props setting on the indexers in order to override the metadata host field, but I am unable to do so. Please find below my props and transforms settings. I'll appreciate if someone could please guide me in the proper direction on getting this fixed.
transforms.conf
[bdna-host-hostname]
DEST_KEY = MetaData:Host
REGEX = HOSTNAME="([^\s.]+)"
FORMAT = host::$1
props.conf
[bdna_inputs]
TRANSFORMS-host_extraction_bdna = bdna-host-hostname
Sample data feed from database, ingested via db connect version 3.1.1:
2017-10-23 05:43:47.337, rn="1000000", HOSTNAME="eagnmnmbd265", SOFTWARE_ID="15855349", SOFTWARE_ID_TYPE="CAT_RELEASE_ID", CAT_SW_RELEASE_ID="15855349", CAT_SW_PRODUCT_ID="1377892", CAT_SW_VERSION_ID="15855345", CAT_SW_VERSION_GROUP_ID="9193634", CAT_MANUFACTURER_ID="594406", CPE_DEFINITION="Python 2.7.5", CVSS_SCORE_MAX="10", CVSS_SEVERITY_MAX="3", CVE_COUNT="13", CAT_CPE_URI_ID="61509642", CAT_TAXONOMY_ID="19892850", CAT_TAXONOMY_CATEGORY1="Software Development", CAT_TAXONOMY_CATEGORY2="Application Architecture and Design", CAT_MANUFACTURER="Python Software Foundation", CAT_SOFTWARE="Python", CAT_VERSION_GROUP="2.0", CAT_VERSION="2.7", DISC_VERSION="2.7.5", CAT_IS_LICENSABLE="no", CAT_IS_SUITE="no", GROUP_ID="-1", GA_DATE="2010-07-03 00:00:00.0", EOL="2020-12-31 00:00:00.0", OBSOLETE="2020-12-31 00:00:00.0", HIDDEN="0", ORIGINATE_FROM="1", NFAMILY="0", TECHNOPEDIA_LAST_MODIFIED="2017-08-15 00:00:00.0"
... View more