<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Same sourcetype, but different transforms per Host in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Same-sourcetype-but-different-transforms-per-Host/m-p/131475#M27033</link>
    <description>&lt;P&gt;It can be hard to perform both a host and sourcetype-specific transformation. It depends on what you want to be done.&lt;/P&gt;

&lt;P&gt;In props.conf, select the sourcetype. First, apply the usual transformation, then apply the exception case&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[mysourcetype]
TRANSFORMS-t1=firstTransform,secondTransform
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In transforms.conf, send the data as needed. In the first transform, do whatever you are doing now. I just put in the nullQueue to have a complete example. The second transform selects the data based on the host name, not based on the event content.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[firstTransform]
REGEX = what_to_delete_based_on_raw_data
DEST_KEY = queue
FORMAT = nullQueue

[secondTransform]
SOURCE_KEY = MetaData:Host
REGEX = pattern_to_match_host_name
DEST_KEY = queue
FORMAT = indexQueue
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;You can read more about this at &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues"&gt;Filter Event Data and Send to Queues&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Please test this carefully and be sure to use regular expressions, not just "wildcards." I can't test it, so I might have made mistakes...&lt;/P&gt;</description>
    <pubDate>Wed, 06 Nov 2013 21:38:16 GMT</pubDate>
    <dc:creator>lguinn2</dc:creator>
    <dc:date>2013-11-06T21:38:16Z</dc:date>
    <item>
      <title>Same sourcetype, but different transforms per Host</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Same-sourcetype-but-different-transforms-per-Host/m-p/131474#M27032</link>
      <description>&lt;P&gt;I have an issue where we have a sourcetype that we want to remove a transform (on the indexer) that drops some data (but only for a specific host wildcard pattern).  I've been tasked with keeping the same sourcetype name, but not applying the transforms to outputs from a series of hosts.&lt;/P&gt;

&lt;P&gt;We already use a props  [Host: ] stanza for timezones.  Is there a simple way to keep the same sourcetype, but force inputs from a particular host pattern to follow a different set of transforms?  Preferrably a host (and sourcetype) specific transform.&lt;/P&gt;

&lt;P&gt;Thanks&lt;/P&gt;</description>
      <pubDate>Wed, 06 Nov 2013 20:51:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Same-sourcetype-but-different-transforms-per-Host/m-p/131474#M27032</guid>
      <dc:creator>adylent</dc:creator>
      <dc:date>2013-11-06T20:51:56Z</dc:date>
    </item>
    <item>
      <title>Re: Same sourcetype, but different transforms per Host</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Same-sourcetype-but-different-transforms-per-Host/m-p/131475#M27033</link>
      <description>&lt;P&gt;It can be hard to perform both a host and sourcetype-specific transformation. It depends on what you want to be done.&lt;/P&gt;

&lt;P&gt;In props.conf, select the sourcetype. First, apply the usual transformation, then apply the exception case&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[mysourcetype]
TRANSFORMS-t1=firstTransform,secondTransform
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In transforms.conf, send the data as needed. In the first transform, do whatever you are doing now. I just put in the nullQueue to have a complete example. The second transform selects the data based on the host name, not based on the event content.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[firstTransform]
REGEX = what_to_delete_based_on_raw_data
DEST_KEY = queue
FORMAT = nullQueue

[secondTransform]
SOURCE_KEY = MetaData:Host
REGEX = pattern_to_match_host_name
DEST_KEY = queue
FORMAT = indexQueue
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;You can read more about this at &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues"&gt;Filter Event Data and Send to Queues&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Please test this carefully and be sure to use regular expressions, not just "wildcards." I can't test it, so I might have made mistakes...&lt;/P&gt;</description>
      <pubDate>Wed, 06 Nov 2013 21:38:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Same-sourcetype-but-different-transforms-per-Host/m-p/131475#M27033</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2013-11-06T21:38:16Z</dc:date>
    </item>
    <item>
      <title>Re: Same sourcetype, but different transforms per Host</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Same-sourcetype-but-different-transforms-per-Host/m-p/131476#M27034</link>
      <description>&lt;P&gt;This is a really good answer.  Thank you.&lt;/P&gt;

&lt;P&gt;The props/transforms I'm working on have a mix of REPORT / EXTRACTS.  I endedup adding the rule at the end of the REPORT section and this looks to have done the trick in our development instance.&lt;/P&gt;</description>
      <pubDate>Thu, 07 Nov 2013 21:36:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Same-sourcetype-but-different-transforms-per-Host/m-p/131476#M27034</guid>
      <dc:creator>adylent</dc:creator>
      <dc:date>2013-11-07T21:36:39Z</dc:date>
    </item>
  </channel>
</rss>

