Refine your search:

Force index-time host extraction to lower-case

5
1

Is there a way to extract the hostname from an event, but force it to lower-case in the process?

Extracting the hostname is easy enough (DEST_KEY in transforms.conf, etc.), but this doesn't account for the case.

The SEDCMD option in props.conf would appear to be an option, but it's not clear whether 'y/[A-Z]/[a-z]/' style replacements are supported. Even if they are, using SEDCMD would modify the original event text, which is undesirable.

The goal is normalize hostnames so that they are consistent for all events from that machine, without modifying the actual event text.

asked 27 Aug '10, 17:35

southeringtonp's gravatar image

southeringtonp ♦
4.5k1215
accept rate: 35%

One Answer:
oldestnewestmost voted
2

I don't believe this is possible. There is certainly a case to be made for allowing simple transforms (e.g., simple string operations like yours, or basic arithmetic) that can not be accomplished by PCRE, but that would have to be an enhancement to the product, and has some other repercussions on searching for such transformed fields.

I suppose in your particular case, for search purposes it's not necessary (as search is case-insenstive), and for reporting and display you can still use the eval lower() function. It does mess up metadata a bit, but you could resolve that by, e.g., changing the metadata search on the dashboards from 

| metadata type=hosts

to 

| metadata type=hosts 
| eval host=lower(host) 
| stats 
    sum(totalCount) as totalCount
    min(firstTime) as firstTime
    max(lastTime) as lastTime
    max(recentTime) as recentTime
    first(type) as type
  by host

(though this might actually get recentTime wrong, but I doubt that's a problem in practice)

If you're looking at a few specific hosts and specific ways they are capitalized, you could also construct a lookup table and set a combination of automatic FIELDALIAS and LOOKUP to overwrite the original host field. You could do it with a scripted lookup too I guess, if it's more complicated than that. This seems a little wrong to me though.

link

answered 28 Aug '10, 18:47

gkanapathy's gravatar image

gkanapathy ♦
26.5k1622
accept rate: 42%

1

gkanapathy is correct here. Although SEDCMD can perform y///g substitutions, it's only on _raw and not on any other fields.

(28 Aug '10, 21:49) Stephen Sorkin ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×98

Asked: 27 Aug '10, 17:35

Seen: 769 times

Last updated: 28 Aug '10, 18:47

Related questions

Can I prevent the default index-time extraction for the "host" field to occur for events of the "syslog" sourcetype?

Lost forwarder search case sensitive for host name

How do I delete all references of a host so it stops showing up on the host list?

Calculate difference between TIME in host x and TIME in host y

Host name extraction from syslog repository

How do I return the time of the first event from a specific host in the main index?

index and alert on any host by total count

How to sort the output baed on time and host?

host name extraction for multiple types of logs

Copyright © 2005-2012 Splunk, Inc. All rights reserved.