topic Index Field Transform not Catching Every Event in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Index-Field-Transform-not-Catching-Every-Event/m-p/542651#M90661 <P>I'm running a simple transform to change the index from "tenable" to "tenable-dc" for one of my sourcetypes.</P><P>Props.conf</P><LI-CODE lang="markup">[tenable:sc:vuln] TRANSFORMS-~dcfilter = dcfilter</LI-CODE><P>Transforms.conf</P><LI-CODE lang="markup">[dcfilter] REGEX = ([Dd][Cc]01) FORMAT = $0-dc DEST_KEY = _MetaData:Index</LI-CODE><P>&nbsp;</P><P>The problem that I'm having is that the transform is not catching every event. I have 164 events that the filter should catch, but only 156 events are indexed in the new index (tenable-dc).</P><P>If I run the following search command, it catches all 164 events:</P><LI-CODE lang="markup">index=tenable* sourcetype=tenable:sc:vuln | regex _raw = "([Dd][Cc]01)"</LI-CODE><P>&nbsp;</P><P>I can't find any similarities between the 8 "missed" events or differences between those events and the 156 "captured" events. My first thought was that the regex was wrong, but the search-time regex works.&nbsp; Does anyone have any experience with index-time extractions missing events?</P> Fri, 05 Mar 2021 21:29:28 GMT aaron_gibby 2021-03-05T21:29:28Z Index Field Transform not Catching Every Event https://community.splunk.com/t5/Getting-Data-In/Index-Field-Transform-not-Catching-Every-Event/m-p/542651#M90661 <P>I'm running a simple transform to change the index from "tenable" to "tenable-dc" for one of my sourcetypes.</P><P>Props.conf</P><LI-CODE lang="markup">[tenable:sc:vuln] TRANSFORMS-~dcfilter = dcfilter</LI-CODE><P>Transforms.conf</P><LI-CODE lang="markup">[dcfilter] REGEX = ([Dd][Cc]01) FORMAT = $0-dc DEST_KEY = _MetaData:Index</LI-CODE><P>&nbsp;</P><P>The problem that I'm having is that the transform is not catching every event. I have 164 events that the filter should catch, but only 156 events are indexed in the new index (tenable-dc).</P><P>If I run the following search command, it catches all 164 events:</P><LI-CODE lang="markup">index=tenable* sourcetype=tenable:sc:vuln | regex _raw = "([Dd][Cc]01)"</LI-CODE><P>&nbsp;</P><P>I can't find any similarities between the 8 "missed" events or differences between those events and the 156 "captured" events. My first thought was that the regex was wrong, but the search-time regex works.&nbsp; Does anyone have any experience with index-time extractions missing events?</P> Fri, 05 Mar 2021 21:29:28 GMT https://community.splunk.com/t5/Getting-Data-In/Index-Field-Transform-not-Catching-Every-Event/m-p/542651#M90661 aaron_gibby 2021-03-05T21:29:28Z