Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help with Extracting host via transforms

danielbb
Motivator
‎07-05-2022 01:44 PM

We have the following - 

 

# /data/xxxx/<hostname>_syslog.log
[datanow-syslog-host]
SOURCE_KEY = source
REGEX = \/data\/xxxx\/(.+)_syslog\.log
DEST_KEY = MetaData:Host
FORMAT = host::$1

 

Trying to extract the host name from the source without much luck.

Any ideas? 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2022 11:45 PM

Hi @danielbb,

the stanza you shared is in transforms.conf, I suppose that you also created a related props.conf containing:

[your_sourcetype]
TRANSFORMS-datanow-syslog-host = datanow-syslog-host

and I suppose that the sourcetype is correct: there isn't any additional sourcetype overriding.

Then, where do you located props.conf and transforms.conf?

they must be on your Indexers or (if present) on Heavy Forwarders, not on Universal Forwarders.

Ciao.

Giuseppe

Reply

danielbb
Motivator
‎07-06-2022 12:44 PM

Hi @gcusello 

In props.conf I have configuration as you said - 

[your_sourcetype]
TRANSFORMS-datanow-syslog-host = datanow-syslog-host

 

And btool of props and transforms confirms that this part is ok.

Props and transforms are on the HF which is our syslog server as well.

Does this line look fine to you? the one I trust the least - 

SOURCE_KEY = source


Is there any way to debug these cases? splunkd.log doesn't record much of it, right? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-06-2022 11:31 PM

Hi @danielbb,

I suppose that you also restarted Splunk on the HF after update.

Anyway, teh configuration is correct, the only thing different than my usual use is the SOURCE_KEY = source, have you the value you are using also in the row events?.

Reading the documentation at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Transformsconf I see that the syntax to use is a little different, please try this:

SOURCE_KEY = MetaData:Source

or 

SOURCE_KEY = field:source

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...