I have a v4.1.4 full forwarder setup to forward the Windows system and application event logs to a v4.1.4 indexer. At this point, events coming from both event logs have the hostname of the forwarder (sbkhpsim1) in the "host=" field. However, in the application event log only, I need to substitute the forwarder's hostname in the "host=" field to the name of a host within the event. Below are the inputs.conf, props.conf, and transforms.conf files from the forwarder. The REGEX to do the substitution works, so I don't think that's the issue. ANY help is appreciated.
host = sbkhpsim1 [WinEventLog:System] disabled = false [WinEventLog:Application] disabled = false sourcetype = WindowsAppEventLog
[WindowsAppEventLog] TRANSFORMS-sim = GetEventOrigName
[GetEventOrigName] REGEX = ^Event\soriginator:\s(\w+\-?\w+) DEST_KEY = MetaData:Host FORMAT = host::$1
05/15/12 07:30:01 AM LogName=Application SourceName=HP Systems Insight Manager EventCode=3 EventType=1 Type=Error ComputerName=SBKHPSIM1 Category=0 CategoryString=none RecordNumber=57175 Message=sbkesx14: (SNMP) Accelerator Board Status Change (3038): Event Name: (SNMP) Accelerator Board Status Change (3038) URL: http://sbkhpsim1.win.dowjones.net:280/mxportal/MxContextLaunch.jsp?systems=sbkesx14&tool=System%20Pa... Event originator: sbkesx14 Event Severity: Critical Event received: 15-May-2012, 07:28:51 Event description: Accelerator Board Status Change. This trap signifies that the agent has detected a change in the status of an array accelerator cache board. The current status is represented by the variable cpqDaAccelStatus. User Action: If the accelerator board status is permDisabled(5), you may need to replace the accelerator board. Location: Slot 6 Model: sa-p400 Serial Number: PA2270J9SW1878 Total Memory: 524288 Status: tmpDisabled Error Code: lowBattery
I think the caret (^) in the regex is the culprit. If I remember correctly, the line doesn't start there, the text is indented. Also, you may wish to state that it's a multiline event. Try the following regex;
Hope this helps,