From 6250cd601f09d2b832a0c4b4daec70ef999b9ae6 Mon Sep 17 00:00:00 2001
From: Daryl Coburn <daryl_coburn@cargill.com>
Date: Mon, 30 Sep 2024 16:00:03 -0600
Subject: [PATCH] re-added observer and log.source.hostname to host_split sans
 domain

---
 config/enrichments/18_host_split.conf | 20 ++------------------
 1 file changed, 2 insertions(+), 18 deletions(-)

diff --git a/config/enrichments/18_host_split.conf b/config/enrichments/18_host_split.conf
index 486d2573..0dcacc7a 100644
--- a/config/enrichments/18_host_split.conf
+++ b/config/enrichments/18_host_split.conf
@@ -93,20 +93,12 @@ filter {
     if [log][source][hostname] =~ "^.*?\..*?$" {
       if [log][source][hostname] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" {
         grok {
-          match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>\d+.\d+.\d+.\d+)\.(?<[log][source][domain]>.*?)$" }
+          match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>\d+.\d+.\d+.\d+)\..*?$" }
           tag_on_failure => "_logsourcehostname_grok_failure"
         }
         mutate {
           rename => { "[log][source][tmp]" => "[log][source][hostname]" }
         }
-      } else if [log][source][hostname] !~ "^\d+\.\d+\.\d+\.\d+$" {
-        grok {
-          match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>.*?)\.(?<[log][source][domain]>.*?)$" }
-          tag_on_failure => "_logsourcehostname_grok_failure_2"
-        }
-        mutate {
-          rename => { "[log][source][tmp]" => "[log][source][hostname]" }
-        }
       }
     }
 
@@ -135,20 +127,12 @@ filter {
     if [observer][hostname] =~ "^.*?\..*?$" {
       if [observer][hostname] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" {
         grok {
-          match => { "[observer][hostname]" => "^(?<[observer][tmp]>\d+.\d+.\d+.\d+)\.(?<[observer][domain]>.*?)$" }
+          match => { "[observer][hostname]" => "^(?<[observer][tmp]>\d+.\d+.\d+.\d+)\..*?$" }
           tag_on_failure => "_observerhostname_grok_failure"
         }
         mutate {
           rename => { "[observer][tmp]" => "[observer][hostname]" }
         }
-      } else if [observer][hostname] !~ "^\d+\.\d+\.\d+\.\d+$" {
-        grok {
-          match => { "[observer][hostname]" => "^(?<[observer][tmp]>.*?)\.(?<[observer][domain]>.*?)$" }
-          tag_on_failure => "_observerhostname_grok_failure_2"
-        }
-        mutate {
-          rename => { "[observer][tmp]" => "[observer][hostname]" }
-        }
       }
     }
   }