Re: Host override at search time

giorgio_adami_m · ‎05-18-2015

I want to override the Host value at search time, not at index time because I need to override it just in the context of a specific app.

EXTRACT-field = (?P<host>my_regex)

It does not work. Why?
Is there another way to do this?

jkat54 · ‎02-15-2017

Does this work?

EXTRACT-field = (?P<otherField>my_regex)
EVAL-host = otherField

claudio_manig · ‎02-15-2017

I had an another approach which is a bit hacky but seems to work so far:
Extracting the host with extract or report in a new field called host_temp (i used report and transforms)
Created an alias for host_temp to host

Thats it, don't ask me how stable that solution is.
Cheers

mkemmerer · ‎06-15-2015

I was able to do it in SPL for a top event (replacing the hostname with the extracted user name). Perhaps you could make a macro for ease of implementation?

Here's the sample event:

20861  root              20     0  130284    1956    1192   R    11.8     0.0       0:00.03  top

Here's the query:

index=os sourcetype=top| rex field=_raw "^\s+\d+\s+(?P<host>\w+)"

bnorthway · ‎06-15-2015

I don't think this is possible. I was trying to do the same thing. Here are instructions for overriding the host value. Note, however, that the doc for transforms.conf indicates that the DEST_KEY attribute is only valid for index-time operations. Also, the TRANSFORMS attribute in props.conf is only valid at index-time as well.

Given this, I plan on re-importing my data.

kheli · ‎05-18-2015

make sure u search within the context of the app

giorgio_adami_m · ‎05-18-2015

I am damn sure.
The problem is the name "host". If I try to give another name to my field, the EXTRACT works, but I need to override "host".

Host override at search time

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!