Hello, i have a single Splunk Enterprise instance with a 9997 listener. I have a single Windows Server with a UF forwarding data to the Splunk Enterprise. This is all good, data is being forwarded as expected.
I am now trying to make a few props.conf changes to the data, but none of my configuration seems to make any difference, when i go look in the Splunk Enterprise search app.
Here in `props.conf` i a, trying to transform the host, set the timezone to Sydney and set the event time.
[WinEventLog:*]
TRANSFORMS-change_host = WinEventHostOverride
TZ = Australia/Sydney
DATETIME_CONFIG = CURRENT
Here in `transforms.conf` is my host overide block;
[WinEventHostOverride]
DEST_KEY = MetaData:Host
REGEX = (?m)^ComputerName=([\S]*)
FORMAT = host::$1
On every change i make, i have performed a `splunk.exe restart` on the UF host, however nothing appears to change in my index.
Here is a sample from my index.
- As you can see the `Time` field is UTC, but i want the time in the actual Event to be the Time.
- The `host` field is not transforming to the correct ComputerName field in the event.
![alt text][1]
[1]: /storage/temp/255897-screen-shot-2018-09-03-at-80106-am.png
Using Answers from other questions, i used the following search query to "test" the regex and it appears to work, so i am confused why it doesn't work.
index=* | head 1 | eval testdata="ComputerName=ahslc01p" | regex testdata="(?m)^ComputerName=([\S]*)" | stats count
↧