https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275442#M52829 <P>Your <CODE>transforms.conf</CODE> is fine but use this <CODE>props.conf</CODE>:</P> <PRE><CODE>[json_input] MAX_TIMESTAMP_LOOKAHEAD=30 TRANSFORMS-override-index = override-ldc, override-jrc </CODE></PRE> Tue, 05 Apr 2016 16:06:52 GMT woodcock 2016-04-05T16:06:52Z https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275441#M52828 <P>My current situation is that a bunch of files are all being dumped into one directory for the forwarder to monitor and send to the indexers. Based on a field in the data, I route the events to different indexes. These are the current props.conf and transforms.conf which are working.</P> <P>props.conf:</P> <PRE><CODE>[json_input] MAX_TIMESTAMP_LOOKAHEAD=30 ... TRANSFORMS-override-ldc=override-ldc TRANSFORMS-override-jrc=override-jrc </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE> [override-ldc] SOURCE_KEY=_raw DEST_KEY=_MetaData:Index REGEX=fieldname\"\s*:\s*\"LDC.* FORMAT=foo_ldc [override-jrc] SOURCE_KEY=_raw DEST_KEY=_MetaData:Index REGEX=fieldname\"\s*:\s*\"JRC.* FORMAT=foo_jrc </CODE></PRE> <P>I also need to override the value for the source field based on the exact same REGEX. Can I use the same transforms stanza to update 2 metadata fields, or do I need to have a second transform which uses the same REGEX but overrides source rather than index?</P> Tue, 05 Apr 2016 15:46:02 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275441#M52828 lyndac 2016-04-05T15:46:02Z https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275442#M52829 <P>Your <CODE>transforms.conf</CODE> is fine but use this <CODE>props.conf</CODE>:</P> <PRE><CODE>[json_input] MAX_TIMESTAMP_LOOKAHEAD=30 TRANSFORMS-override-index = override-ldc, override-jrc </CODE></PRE> Tue, 05 Apr 2016 16:06:52 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275442#M52829 woodcock 2016-04-05T16:06:52Z https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275443#M52830 <P>You would've to add different transforms stanza to override Index and source as the DEST_KEY accepts only single fields.</P> Tue, 05 Apr 2016 16:11:42 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275443#M52830 somesoni2 2016-04-05T16:11:42Z https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275444#M52831 <P>So by listing the tranforms in one line, does that impact the way splunk executes the transforms? Is there a performance impact? I guess I'm asking why one line instead of two?</P> Tue, 05 Apr 2016 17:55:15 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275444#M52831 lyndac 2016-04-05T17:55:15Z https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275445#M52832 <P>Only <EM>very</EM> slight improvement but it is better because it is most clear/correct. You can also more easily control which one comes first by the order in the list.</P> Tue, 05 Apr 2016 18:06:41 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-override-two-keys-in-one-transforms-stanza/m-p/275445#M52832 woodcock 2016-04-05T18:06:41Z