https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444509#M77386 <P>If you really need to do it like this, I guess you need to change the REGEX and FORMAT parts, such that the REGEX matches the full raw event, captures the bits that you want to keep and then in FORMAT refer to the capture groups to keep the rest of the event.</P> <P>But I'm not 100% sure how this exactly works with csv indexed_extractions and somehow with this sample data you shared it does not make too much sense that this config does anything (since Ignore is not actually at the start of the event).</P> <P>But in general, it would work something like this in transforms.conf:</P> <PRE><CODE>[replacement] REGEX = (.*?)Ignore(.*) FORMAT = $1deferred$2 DEST_KEY = _raw </CODE></PRE> <P>See also: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata">https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata</A></P> Thu, 04 Jul 2019 07:40:56 GMT FrankVl 2019-07-04T07:40:56Z https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444504#M77381 <P>I want to replace/substitute the string value in the raw data with new string value. I have successfully done the substitution using props.conf (SED-cmd)</P> <P>But now I need to do the same with transforms.conf</P> <P>Scenario:</P> <P>Date,filedsA<BR /> 19-Jun,Ignore<BR /> 19-Jun,Ignore<BR /> 19-Jun,Ignore<BR /> 19-Jun,ABC<BR /> 19-Jun,DEF</P> <P>From the above data, I need to replace/substitute "Ignore" with "Deferred"</P> <P>So far, my transform.conf looks like this:</P> <P>[replacement]<BR /> REGEX = ^Ignore<BR /> FORMAT = deferred<BR /> DEST_KEY = _raw</P> <P>Props.conf<BR /> [replacement1]<BR /> TRANSFORMS-replace = replacement<BR /> BREAK_ONLY_BEFORE_DATE = <BR /> DATETIME_CONFIG = <BR /> INDEXED_EXTRACTIONS = csv<BR /> KV_MODE = none<BR /> LINE_BREAKER = ([\r\n]+)<BR /> NO_BINARY_CHECK = true<BR /> SHOULD_LINEMERGE = false<BR /> category = Structured<BR /> description = Comma-separated value format. Set header and other settings in "Delimited Settings"<BR /> disabled = false<BR /> pulldown_type = true</P> Wed, 30 Sep 2020 01:04:49 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444504#M77381 simon21 2020-09-30T01:04:49Z https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444505#M77382 <P>And what exactly is your question / problem? I guess this overwrites your entire raw event with just "deferred", which is not what you want?</P> <P>Is that sample data your full raw events or only part of it? Does this replacement have to be done at index time? If so, why does SED not work? If not, why not simply do this with a LOOKUP or EVAL?</P> Fri, 28 Jun 2019 12:51:25 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444505#M77382 FrankVl 2019-06-28T12:51:25Z https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444506#M77383 <P>The problem is the stanza header in props.conf should be <CODE>[&lt;YourSourcetypeHere&gt;]</CODE> but in any case, don't do it like that; use <CODE>SEDCMD</CODE> like this:</P> <PRE><CODE>[&lt;YourSourcetypeHere&gt;] SEDCMD-replace_ignore_with_deferred = s/Ignore/deferred/ </CODE></PRE> <P>But even more, it is poor form to modify your data this way, because it gives auditors the impression that this is the way the data really originated/always-was. It would be better to use a lookup <CODE>YourLookupHere.csv</CODE> that has data like this:</P> <PRE><CODE>oldFieldA,newFieldA Ignore,disabled </CODE></PRE> <P>Then use it like this:</P> <PRE><CODE>Your Spl Here ... | lookup YourLookupHere.csc fieldA OUTPUT oldFieldA AS fieldA OUTPUT newFieldA AS fieldA </CODE></PRE> Sat, 29 Jun 2019 14:51:29 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444506#M77383 woodcock 2019-06-29T14:51:29Z https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444507#M77384 <P>I do not wish to use SPL. Also, tried and successfully tested using props.conf (SEDCMD). But I particularity need to use the transforms.conf and props.conf to replace/substitute the values. </P> Thu, 04 Jul 2019 06:51:32 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444507#M77384 simon21 2019-07-04T06:51:32Z https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444508#M77385 <P>Yes, it indeed replaCes the entire event. This is my entire sample data. Replacement needs to e done at index time. SED did work, but we particularly need to make it work using transforms.conf</P> <P>Need it to happen via the conf files only. Hence not looking at lookup option or the eval SPL options.</P> Thu, 04 Jul 2019 06:53:41 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444508#M77385 simon21 2019-07-04T06:53:41Z https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444509#M77386 <P>If you really need to do it like this, I guess you need to change the REGEX and FORMAT parts, such that the REGEX matches the full raw event, captures the bits that you want to keep and then in FORMAT refer to the capture groups to keep the rest of the event.</P> <P>But I'm not 100% sure how this exactly works with csv indexed_extractions and somehow with this sample data you shared it does not make too much sense that this config does anything (since Ignore is not actually at the start of the event).</P> <P>But in general, it would work something like this in transforms.conf:</P> <PRE><CODE>[replacement] REGEX = (.*?)Ignore(.*) FORMAT = $1deferred$2 DEST_KEY = _raw </CODE></PRE> <P>See also: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata">https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata</A></P> Thu, 04 Jul 2019 07:40:56 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444509#M77386 FrankVl 2019-07-04T07:40:56Z https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444510#M77387 <P>Why? It is far more complicated. It sound like you need an answer for a test.</P> Thu, 04 Jul 2019 14:24:58 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444510#M77387 woodcock 2019-07-04T14:24:58Z https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444511#M77388 <P>Did you notice that at the start of this answer I also told you what is wrong with your original attempt?</P> Sat, 06 Jul 2019 01:25:08 GMT https://community.splunk.com/t5/Getting-Data-In/transforms-conf-and-props-conf-for-replacing-substituing-values/m-p/444511#M77388 woodcock 2019-07-06T01:25:08Z