Props/transforms rewrite of _raw is adding a blank event

Glenn — Fri, 17 Feb 2012 14:38:04 GMT

Hi,

I am using a props/transforms TRANSFORM to add the source (log file) name to the _raw log event line.

props.conf:

[GC_throughput]
TRANSFORMS-GC_throughput = GC_add_source

transforms.conf

[GC_add_source]
SOURCE_KEY = MetaData:Source
REGEX = ^source::(.*)$
FORMAT = $1 $0
DEST_KEY = _raw

For some reason an "extra", event is being created on the Splunk server which is empty apart from the added source field. It doesn't even have a timestamp or anything, so is given a timestamp at the time it was indexed.

Ie. when not using the props/transforms, there are two events:

2012-02-17T13:19:43.101+0000: 1906587.847: [GC [PSYoungGen: 261184K->608K(261440K)] 422309K->161797K(1047872K), 0.0133890 secs]
2012-02-17T12:45:13.623+0000: 1904518.369: [GC [PSYoungGen: 261024K->384K(261504K)] 422093K->161509K(1047936K), 0.0166770 secs] [Times: user=0.01 sys=0.00, real=0.01 secs]

When I use the props/transform:

/tmp/verboseSunGC.log
/tmp/verboseSunGC.log 2012-02-17T13:19:43.101+0000: 1906587.847: [GC [PSYoungGen: 261184K->608K(261440K)] 422309K->161797K(1047872K), 0.0133890 secs]
/tmp/verboseSunGC.log 2012-02-17T12:45:13.623+0000: 1904518.369: [GC [PSYoungGen: 261024K->384K(261504K)] 422093K->161509K(1047936K), 0.0166770 secs] [Times: user=0.01 sys=0.00, real=0.01 secs]

Why is this, and/or what am I doing wrong?

Re: Props/transforms rewrite of _raw is adding a blank event

jeff — Thu, 12 Apr 2012 16:26:25 GMT

I'm totally guessing here, but the REGEX might be picking up a cr/lf after source, then inserting that into the _raw data, which is then being interpreted as a separate event.

How does it work if you try:

REGEX = ^source::([^\r\n]+)

topic Re: Props/transforms rewrite of _raw is adding a blank event in Getting Data In

Props/transforms rewrite of _raw is adding a blank event

Re: Props/transforms rewrite of _raw is adding a blank event