Override default host values based on event data
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Override default host values based on event data
Splunk assigns default host names to your events based on data in those events. This topic shows you how to override specific default host assignments when these default assignments are incorrect.
Configuration
To set up host value overrides based on event data, you need to edit transforms.conf and props.conf. Edit these files in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information about configuration files in general, see "About configuration files" in this manual.
Edits to transforms.conf
Add your custom stanza to $SPLUNK_HOME/etc/system/local/transforms.conf. Configure your stanza as follows:
[$UNIQUE_STANZA_NAME] DEST_KEY = MetaData:Host REGEX = $YOUR_REGEX FORMAT = host::$1
Fill in the stanza name and the regex fields with the correct values for your data.
Leave DEST_KEY = MetaData:Host to write a value to the host:: field. FORMAT = host::$1 writes the REGEX value into the host:: field.
Note: Name your stanza with a unique identifier (so it is not confused with an existing stanza in $SPLUNK_HOME/etc/system/default/transforms.conf).
Edits to props.conf
Create a stanza in $SPLUNK_HOME/etc/system/local/props.conf to map the transforms.conf regex to the source type in props.conf.
[<spec>] TRANSFORMS-$name=$UNIQUE_STANZA_NAME
-
<spec>can be:- <sourcetype>, the sourcetype of an event
- host::<host>, where <host> is the host for an event
- source::<source>, where <source> is the source for an event
$nameis whatever unique identifier you want to give to your transform.$UNIQUE_STANZA_NAMEmust match the stanza name of the transform you just created intransforms.conf.
Note: Optionally add any other valid attribute/value pairs from props.conf when defining your stanza. This assigns the attributes to the <spec> you have set. For example, if you have custom line-breaking rules to set for the same <spec>, append those attributes to your stanza.
Example
Here is a set of events from the houseness.log file. They contain the host in the third position.
41602046:53 accepted fflanda 41602050:29 accepted rhallen 41602052:17 accepted fflanda
Create a regex to extract the host value and add it to a new stanza in $SPLUNK_HOME/etc/system/local/transforms.conf:
[houseness] DEST_KEY = MetaData:Host REGEX = \s(\w*)$ FORMAT = host::$1
Now, link your transforms.conf stanza to $SPLUNK_HOME/etc/system/local/props.conf so your transforms are called. Optionally add any additional attribute/value pairs from props.conf as needed.
The transform above works with the following stanza in props.conf:
[source::.../houseness.log] TRANSFORMS-rhallen=houseness SHOULD_LINEMERGE = false
The above stanza has the additional attribute/value pair SHOULD_LINEMERGE = false. This specifies that Splunk should create new events at a newline.
Note: The additional -rhallen in the attribute TRANSFORMS-rhallen serves to differentiate this transform from other transforms.
The events now appear in SplunkWeb as the following:
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.