I have a Linux server that ingests pre-cooked log files. Each line of the log file begins with the host that the log originated from. I have a universal forwarder on a Linux server watching for log files and I would like to rename the host field from the linux server to use the server in the event line.
On the universal forwarder I added the following but host is still ldxx90vds19. What am I missing here? I'm in a distributed environment, tried adding the same to the search heads with no luck.
inputs.conf
[batch:///app1/vdsext/elk/stats/prod/pull/serverStats.*.csv.*]
source = ldxx90vds19
sourcetype = vds:serverstats
disabled = false
index = vds
move_policy = sinkhole
initCrcLength = 1000
props.conf
[vds:serverstats]
TRANSFORMS-hostname = vdshostname
transforms.conf
[vdshostname]
REGEX = ^[a-z]\w+
FORMAT = host::$1
DEST_KEY = MetaData:Host
Sample log:
ldxx90vds2,1493923501.828,0.685,0.652,97.793,0.802,0.0,0.067,0.050,0.060,0.030,11538391040.0,410136576.0,6964232192.0,6279286784.0,1276254.500,22937.400,0.0,39.300,0.0,1823129.600
↧