Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to rewrite host meta key at ingestion

brent_weaver
Builder
‎11-29-2020 05:29 AM

I have a reg ex tested and working that will extract the host out of these events. My transforms is as follows:

 

 

 

 

 

[hostextraction]
REGEX = ^.*\d+\s(.*)ASM:.*
FORMAT = host::$1
DEST_KEY = MetaData:Host

 

 

 

 

 

props:

 

 

 

 

 

[myst]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_PREFIX = ^.{1,16}\b(?:\d{1,3}\.){3}\d{1,3}\b\s
TRANSFORMS-whateva = hostextraction

 

 

 

 

 

 This has no affect on the host metadata key. Any help is much appreciated. I am taking this directly from Splunk Documentation.  I am getting this message in _internal

ERROR regexExtractionProcessor - REGEX field must be specified tranform_name=hostextraction
 
Any help is much appreciated!
Labels (1)
Labels
0 Karma
Reply

brent_weaver
Builder
‎11-29-2020 08:51 AM 
Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 DC1ASM1.dc1.greendotcorp.com ASM:"MONEYPAK_WEBAPP","MONEYPAK_CLASS","Blocked","Attack signature detected","4523972057501654520","207.154.35.240","GET /Content/Images/img_logo01_module02.gif HTTP/1.1\r\nHost: www.moneypak.com\r\nUser-Agent: sam375/1.0[TF268435460801870024000000015076264944] UP.Browser/6.2.3.8 (GUI) MMP/2.0 Profile/MIDP-2.0 Configuration/CLDC-1.1\r\nAccept-Charset: iso-8859-1\r\nAccept-Language: en; q=0.9, es-ve; q=0.9\r\nx-wap-profile: ""http://uaprof1.caohosting.com/UAProfSamsung_R375_TF_V01.xml""\r\nReferer: ../../UseMoneyPak.aspx\r\nCookie: ASP.NET_SessionId=fygzml55xi4i5j45sqnduhy3; __RequestVerificationToken_Lw__=a3NVWCZIIdAJq9jOKEbhic39Vp03TnfuaVRd0mv7yBMYi88KbWiEO1uTpjKuQyybqfSC6JzuMPAA/EPxUpMeeI5hAxDRBepfwT7oeGSTy4xDp+vX7lqDSnJ4C2FI5J6yNRoasA==; TS9d98d7=9f0b4c041f7d935b1147a57259d88de374a21272ed77bfab505b5c7636af3f5e4cdb125288da4b2db1281d8f\r\nAccept: application/octet-stream, application/vnd.oma.drm.content, application/vnd.oma.drm.message, application/vnd.oma.drm.rights+wbxml, application/vnd.oma.drm.rights+xml, a
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-29-2020 07:53 AM
Can you provide any sample data where you are trying extract host?
0 Karma
Reply

brent_weaver
Builder
‎11-29-2020 09:04 AM

See above as I just posted a sample of data.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...