Refine your search:

Setting MetaData:Host over transforms.conf doesn't work

0

I have icinga debug logs from a server called monitoring01 looking like:

[1284468200.195107] Checking service 'sys - Zeus ZXTM LB zeus.flipper processes' on host 'balance01'...

monitoring01 is a splunk forwarder. Now I want to rename the host bit on splunk from monitoring01 to whatever host is mentioned in the logfile, in the above example that would be 'balance01'.

On monitoring01 (splunk forwarder) I have the following files in place. They should convert the time and the hostname:

/opt/splunk/etc/apps/scripts/props.conf:

[script://./bin/icinga_converter.sh]
TIME_PREFIX = \[\d{10}
TIME_FORMAT = %+
MAX_TIMESTAMP_LOOKAHEAD = 11
SHOULD_LINEMERGE = false
TRANSFORMS-hostname = icinga_hostconverter

/opt/splunk/etc/apps/scripts/transforms.conf:

[icinga_hostconverter]
REGEX = ([^']*)'\.\.\.$
FORMAT = host::$1
DEST_KEY = MetaData:Host

The timestamp is taken out of the logline instead of arrival time at splunk correctly, but MetaData:Host remains to be set as monitoring01.

I can't find any hint, why the transformation won't work. Does anybody have an idea?

asked 14 Sep '10, 12:57

Thomas%20Gresch's gravatar image

Thomas Gresch
112
accept rate: 0%

Are the paths correct? transforms.conf and props.conf should go into either a default or local directory in your application (../etc/apps/scripts/default/transforms.conf).

(14 Sep '10, 18:00) Jeremiah

I've tried moving them into a local/ and a default/ directory within the app - no effect.

(19 Sep '10, 13:05) Thomas Gresch
2 Answers:
oldestnewestmost voted
1

Thomas, are you using a regular forwarder or a lightweight forwarder? If you are using a LWF, then your host transform will not be honored. If this is the case, then you should put your host extraction configuration on the indexer.

link

answered 14 Sep '10, 18:57

hulahoop's gravatar image

hulahoop ♦
2.5k3240
accept rate: 40%

edited 16 Sep '10, 17:39

I've switched the forwarder from a LightWeight forwarder to a regular forwarder:

'splunk display app' shows

SplunkForwarder UNCONFIGURED ENABLED INVISIBLE
SplunkLightForwarder UNCONFIGURED DISABLED INVISIBLE

but still no effect.

(19 Sep '10, 13:21) Thomas Gresch
0

You have your source in props.conf as type script:: - Are you doing an internal pull using this script?

Try doing a plain forwarding of the raw file to the indexer, and specify source:: at the indexing props.conf instead.

link

answered 02 Mar '11, 09:50

tskimball's gravatar image

tskimball
133
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×74

Asked: 14 Sep '10, 12:57

Seen: 1,021 times

Last updated: 02 Mar '11, 09:50

Related questions

Why does SOURCE_KEY=MetaData:Host not work for REPORT stanzas?

| metadata type=sources maxes out at 10000 - limits.conf setting?

metadata search in a macro doesnt seem to work

how to get host, sourcetype and source from a single |metadata search.

Why is the batch processor not honouring the metadata header?

How can I rewrite/add info from metadata to the contents of the raw log line?

Setting sourcetype with a complex regex - transforms.conf

metadata with splunk_server

Copyright © 2005-2012 Splunk, Inc. All rights reserved.