Getting Data In

Help with Extracting host via transforms

danielbb
Motivator

We have the following - 

 

# /data/xxxx/<hostname>_syslog.log
[datanow-syslog-host]
SOURCE_KEY = source
REGEX = \/data\/xxxx\/(.+)_syslog\.log
DEST_KEY = MetaData:Host
FORMAT = host::$1

 

Trying to extract the host name from the source without much luck.

Any ideas? 

Labels (1)
Tags (1)
0 Karma

gcusello
Legend

Hi @danielbb,

the stanza you shared is in transforms.conf, I suppose that you also created a related props.conf containing:

[your_sourcetype]
TRANSFORMS-datanow-syslog-host = datanow-syslog-host

and I suppose that the sourcetype is correct: there isn't any additional sourcetype overriding.

Then, where do you located props.conf and transforms.conf?

they must be on your Indexers or (if present) on Heavy Forwarders, not on Universal Forwarders.

Ciao.

Giuseppe

danielbb
Motivator

Hi @gcusello 

In props.conf I have configuration as you said - 

[your_sourcetype]
TRANSFORMS-datanow-syslog-host = datanow-syslog-host

 

And btool of props and transforms confirms that this part is ok.

Props and transforms are on the HF which is our syslog server as well.

Does this line look fine to you? the one I trust the least - 

SOURCE_KEY = source


Is there any way to debug these cases? splunkd.log doesn't record much of it, right? 

0 Karma

gcusello
Legend

Hi @danielbb,

I suppose that you also restarted Splunk on the HF after update.

Anyway, teh configuration is correct, the only thing different than my usual use is the SOURCE_KEY = source, have you the value you are using also in the row events?.

Reading the documentation at https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Transformsconf I see that the syntax to use is a little different, please try this:

SOURCE_KEY = MetaData:Source

or 

SOURCE_KEY = field:source

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...