Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question about host field

AHA-0114
Explorer
‎11-18-2021 02:57 AM

I'm trying to put a host in a host field before indexing the csv file below.

【CSV file】

#ServerName001
#JobName,Start time,End time,Elapsed time,Status
JobName_01,11/05/21 19:08:07,11/05/21 19:08:41,00:00:34,Succeeded
JobName_02,11/05/21 20:49:53,11/05/21 21:19:06,00:29:13,Succeeded
JobName_03,11/05/21 21:53:10,11/05/21 21:53:15,00:00:05,Succeeded

I set TRANSFORMS in props.conf with changeHost and set the contents of changeHost in transfoms.conf as follows.

【changeHost】

[changeHost]
SOURCE_KEY = _raw
REGEX = \#(\S+)\s\#:
DEST_KEY = MetaData:Host
FORMAT = host::$1

I want to set host field as ServerName001, but it doesn't work.
Can anyone give me some advice?

Labels (4)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2021 06:30 AM

Depending on what other settings are in props.conf, it's possible the # lines are ignored.

Even so, however, each line of the CSV file is processed independently with the transform attempting to find "#".  When it fails to find a match (because there is no "#" on the line) the host name is not written

I'm not aware of a method to extract a field and then use it in every event that follows.  Perhaps you coudl suggest it at https://ideas.splunk.com

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...