topic Transform at Index in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Transform-at-Index/m-p/237416#M46108 <P>I am attempting to build a exporting field that ArcSight can use to properly categorize. Here what I got:</P> <P>transform.conf<BR /> [devClassName]<BR /> REGEX = ($m)EventCode=(\d+)<BR /> FORMAT = devClassID::Microsoft-Windows-security-auditing:$1<BR /> WRITE_META = true</P> <P>props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-DevExtract = devClassName</P> <P>fields.conf<BR /> [devClassID]<BR /> INDEXED = true</P> <P>I need the result to be: Microsoft-Windows-security-auditing:4663 were as 4663 is pulled from EventCode in Splunk.</P> <P>I have tried to build the transform just on my search forwarder, but it does not allow me to use the var $1</P> Sat, 08 Oct 2016 02:14:02 GMT baumerr 2016-10-08T02:14:02Z Transform at Index https://community.splunk.com/t5/Getting-Data-In/Transform-at-Index/m-p/237416#M46108 <P>I am attempting to build a exporting field that ArcSight can use to properly categorize. Here what I got:</P> <P>transform.conf<BR /> [devClassName]<BR /> REGEX = ($m)EventCode=(\d+)<BR /> FORMAT = devClassID::Microsoft-Windows-security-auditing:$1<BR /> WRITE_META = true</P> <P>props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-DevExtract = devClassName</P> <P>fields.conf<BR /> [devClassID]<BR /> INDEXED = true</P> <P>I need the result to be: Microsoft-Windows-security-auditing:4663 were as 4663 is pulled from EventCode in Splunk.</P> <P>I have tried to build the transform just on my search forwarder, but it does not allow me to use the var $1</P> Sat, 08 Oct 2016 02:14:02 GMT https://community.splunk.com/t5/Getting-Data-In/Transform-at-Index/m-p/237416#M46108 baumerr 2016-10-08T02:14:02Z Re: Transform at Index https://community.splunk.com/t5/Getting-Data-In/Transform-at-Index/m-p/237417#M46109 <P>Hi baumerr, </P> <P>Seems the regex in your [devClassName] stanza is incorrect. Should be: </P> <P>REGEX = (?m)^EventCode=(\d+)</P> <P>The (?m)^ in the REGEX indicates a multi-line event that starts with EventCode. Please try again using the suggested regex statement. </P> <P>Hope it will work. Thanks! <BR /> Hunter</P> Sun, 09 Oct 2016 02:38:23 GMT https://community.splunk.com/t5/Getting-Data-In/Transform-at-Index/m-p/237417#M46109 hunters_splunk 2016-10-09T02:38:23Z