Refine your search:

How to set the value of host variable

0

I have a sql that returns rows with values MachineName, Errors

ABC 5
DEF 3

I would like value of MACHINENAME column to be assigned to the host variable.

I read this article

http://www.splunk.com/base/Documentation/latest/Admin/Overridedefaulthostassignments

but wasn't sure how to set the host variable in my particular case.

My Transforms file looks like

[xmlkv-extraction]
MV_ADD = true
REPEAT_MATCH = true
REGEX = <([^\s>])[^>]>([^<]*)\<\/\1>
FORMAT = $1::$2

and Props looks like

[ErrorMissingObject]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = False
LINE_BREAKER = ()
REPORT-xmlkv = xmlkv-extraction

I am wondering if I can use REPORT-xmlkv and TRANSFORM-xmlv in one file

asked 13 Jan '11, 01:38

danurag's gravatar image

danurag
10116
accept rate: 0%

One Answer:
oldestnewestmost voted
0

host is one of the very few fields assigned at index time, so it works a little differently than most field extractions.

The link you already found is the right starting point, but maybe this will help clarify.

transforms.conf:

[override-hostname]
DEST_KEY = MetaData:Host
REGEX = ^(\S+)
FORMAT = host::$1

props.conf:

[ErrorMissingObject]
TRANSFORMS-host = override-hostname

In transforms.conf, we're telling it to match as many non-space characters as possible at the beginning of a line. Then, assign it to the hosts value. In props.conf, note that you need to use TRANSFORMS-xxx instead of REPORT-xxx, since this is happening at index time. Props.conf is what tells Splunk to actually apply the transform we defined to your data.

I'm assuming from your current props.conf that ErrorMissingObject is the sourcetype for these entries. You can just add the TRANSFORMS-host line to what's already there.

link

answered 13 Jan '11, 03:11

southeringtonp's gravatar image

southeringtonp ♦
4.9k2524
accept rate: 35%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×182
×139

Asked: 13 Jan '11, 01:38

Seen: 1,851 times

Last updated: 10 Apr '11, 16:22

Related questions

Splunk indexer displays events from my new forwader with the host field showing IP address, I want the hostname

Set hostname correctly for SYSLOG input coming into Forwarder

How do I force IP address for host property instead of hostname

How to generate a list of just the IPs?

clientName vs host name question ?

Where is my host data coming from?

Modification of Host

transformation : set a field value according to the host

How to define a variable $host$ in the dashboard which should be used across the dashboard in all the panels and pass its value in default.xml or via url?

Copyright © 2005-2012 Splunk Inc. All rights reserved.