DEST_KEY=MetaData:Host

Hi guys!!

We know that at the time of indexing data into indexers, Splunk software parses the data stream into a series of events. Now we can perform different actions on those events. For parsing and filtering we use two configuration files that is props.conf and transforms.conf in the heavy forwarders.

But what if you want to change the host name in the different events according to your requirement. So suppose there are four events, and you want to change the host name of any 2 events, then you can do this by performing parsing on your data.

So for this, I will show you how to do this.

See below we have given a sample data on which I am going to perform the parsing.

Hii guys
Today I am going to show you how to perform parsing.
and secondly I will use here two configuration
files that are  props.conf and
the transforms.conf ,both
the files are configured in
Heavy Forwarder and there is one another configuration file indexes.conf
which we will use later. 

Now follow the below steps:

STEP 1:

You have to go to the location where you want to save the sample data and then create a file. Here I have created file named host.txt in /tmp location. You can use any other location or any other existing file for storing your data.

STEP 2:

Now after creating the file, put the sample data in this file and after that press “esc” -> “:wq”

STEP 3:

We will configure inputs.conf. You can find the inputs.conf in the below path:

$SPLUNK_HOME$/etc/system/local/

In the inputs.conf we will mention the absolute path of the file of our sample data which we want to monitor. Now here we will mention the index,host and sourcetype.

STEP 4:

Now we will configure props.conf. You can find the props.conf in the below path:

$SPLUNK HOME$/etc/system/local/

Here you have to give the host then double colon(::)and the host name in stanza. Here I have used SHOULD_LINEMERGE=false by which the lines of my sample data will not merge.

Here the second attribute is TRANSFORMS-soo=do(the general format is TRANSFORMS-<class name>=<transformation name>. Here you can give any string name in “class name”, as I have gave “soo”. And the “transformation name” is the name which you will specify in transforms.conf stanza. It is shown in the next step.

STEP 5:

Now we will configure transforms.conf. You can find the transforms.conf in the same path as props.conf .

Here give the “transformation name” in stanza as I have given i.e [do]. In REGEX give the regular expression of the any string which you want to be replaced in the host name. I have used FORMAT=host::$1, here we will have to give the metadata name or the field name on which we want our regex pattern to be replaced.  I have used DEST_KEY= MetaData:Host,here  in whichever event the REGEX pattern will match,then the host name will be replaced by that pattern in that event only.

STEP 6:

After configuring the configuration files, you should always restart the splunk in HF and UF both, so that all the changes will be updated. Make sure you have already created the index in the indexer as specified in the inputs.conf.

STEP 7:

After restarting the splunk, go to that text file i.e host.txt and add some more data in that.

STEP 8:

So now you can see that the events which matches the pattern defined in REGEX,then the host name of that event is replaced by that pattern only. See the REGEX pattern matches in the event indexes.conf , transforms.conf and props.conf in the events so it will become the host names in those events.

Hope, this has helped you in achieving the below requirement without fail:

DEST_KEY=MetaData:Host

Happy Splunking  !!

Advertisements