Hey there,
we are pumping millions of Zabbix events in to our splunk environment over a Heavy Forwarder. The events are JSON string like this:
{"host":"myHostname","groups":["OS_RHEL","OS_RHEL_ES"],"applications":["FS RHELBASIC","Filesystems"],"itemid":1234,"name":"/var/log - used space (total)","clock":1562748008,"ns":583690877,"value":194605056}
the props for this sourcetype looks like this:
props.conf
TIME_PREFIX=\"clock\"\:
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
SHOULD_LINEMERGE=false
At first my problem was that the host field was filled with the hostname of the Heavy Forwarder. For easier use for our users, i want the host from the JSON event in my splunk "host" field. I tried to do that with following transforms:
[set_hostname_zabbix]
REGEX = "host":"(?P[^"]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
This kind of worked, but now my problem is that i got two host fields both filled with the same data.
Any ideas how I can fix this, so I just get one host field filled with the hostname from the JSON event?
Regards,
Max
↧