https://community.splunk.com/t5/Splunk-Enterprise/Creating-new-field-from-raw-event/m-p/711112#M21582 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261968">@RSS_STT</a>&nbsp;</P><P>The issue here is the source_key which is incorrectly set, it should be set to _raw, although _raw is the default so you could just remove that line entirely.</P><P>You also do not need to specify the naming of the extraction in the REGEX and instead use $1, so your resulting transform will look like:</P><P>&nbsp;</P><LI-CODE lang="markup">[severity] REGEX = "level":\s\"(\w+) FORMAT = severity::"$1" WRITE_META = true</LI-CODE><P>&nbsp;</P><P>Please let me know how you get on and consider upvoting/karma this answer if it has helped.<BR />Regards</P><P>Will</P> Mon, 10 Feb 2025 10:16:40 GMT livehybrid 2025-02-10T10:16:40Z https://community.splunk.com/t5/Splunk-Enterprise/Creating-new-field-from-raw-event/m-p/711111#M21581 <P>i want to create new index time field severity if raw json payload have level field value is Information.</P><P>{ "level": "Information", "ORIGIN_Severity_name": "CRITICAL", "ProductArea": "Application", "ORIGIN_Product": "Infrastructure"}</P><P>What's wrong in my transforms.conf configuration. Any help much appreciated.</P><P><U><STRONG>transforms.conf</STRONG></U></P><P>[severity]<BR />REGEX = "level":\s\"(?&lt;severity&gt;\w+)<BR />SOURCE_KEY = fields:level<BR />FORMAT = severity::"INFO"<BR />WRITE_META = true</P><P>&nbsp;</P> Mon, 10 Feb 2025 10:08:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/Creating-new-field-from-raw-event/m-p/711111#M21581 RSS_STT 2025-02-10T10:08:06Z https://community.splunk.com/t5/Splunk-Enterprise/Creating-new-field-from-raw-event/m-p/711112#M21582 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261968">@RSS_STT</a>&nbsp;</P><P>The issue here is the source_key which is incorrectly set, it should be set to _raw, although _raw is the default so you could just remove that line entirely.</P><P>You also do not need to specify the naming of the extraction in the REGEX and instead use $1, so your resulting transform will look like:</P><P>&nbsp;</P><LI-CODE lang="markup">[severity] REGEX = "level":\s\"(\w+) FORMAT = severity::"$1" WRITE_META = true</LI-CODE><P>&nbsp;</P><P>Please let me know how you get on and consider upvoting/karma this answer if it has helped.<BR />Regards</P><P>Will</P> Mon, 10 Feb 2025 10:16:40 GMT https://community.splunk.com/t5/Splunk-Enterprise/Creating-new-field-from-raw-event/m-p/711112#M21582 livehybrid 2025-02-10T10:16:40Z https://community.splunk.com/t5/Splunk-Enterprise/Creating-new-field-from-raw-event/m-p/711117#M21583 <P>it helped but how can ensure that it's create severity = INFO field only when level=Information.</P> Mon, 10 Feb 2025 10:28:42 GMT https://community.splunk.com/t5/Splunk-Enterprise/Creating-new-field-from-raw-event/m-p/711117#M21583 RSS_STT 2025-02-10T10:28:42Z https://community.splunk.com/t5/Splunk-Enterprise/Creating-new-field-from-raw-event/m-p/711133#M21584 <P>Oh I see, sorry.</P><P>In that case you could do:</P><P>&nbsp;</P><LI-CODE lang="markup">[severity] REGEX = "level":\s\"(Informational) FORMAT = severity::INFO WRITE_META = true</LI-CODE><P>&nbsp;</P><P>This means it will only set the severity field (to INFO) when level=Informational - Is this what you want, or should it be other values if not Informational?</P><P>Is there a particular reason you are looking to make this index-time instead of a search-time change?</P><P>&nbsp;</P> Mon, 10 Feb 2025 11:21:36 GMT https://community.splunk.com/t5/Splunk-Enterprise/Creating-new-field-from-raw-event/m-p/711133#M21584 livehybrid 2025-02-10T11:21:36Z