Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Global Transforms
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest you avoid doing this, but either:
- Put it at the top of the props.conf file
- Apply it to
[source::...]
What are you trying to do with a global transform that you can't do with a more specific source, sourcetype, or host pattern match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To add to what gkanapathy said. I suggested against this. Especially the [source::...] option. Because, if you add this stanza, then all other source-based props settings will no longer match. This is because this is because all first stanza to match so everything else will be ignore. See the docs: http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf
In other words, if you have a log file /var/log/httpd/error_log, it will not be assigned the sourcetype of apache_error, and WinEventLog events will no longer be split apart properly, ...
Not that I've tried this to confirm the behavior, but it can't be good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to note: Since 5.0 - you can now use the [default] stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To add to what gkanapathy said. I suggested against this. Especially the [source::...] option. Because, if you add this stanza, then all other source-based props settings will no longer match. This is because this is because all first stanza to match so everything else will be ignore. See the docs: http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf
In other words, if you have a log file /var/log/httpd/error_log, it will not be assigned the sourcetype of apache_error, and WinEventLog events will no longer be split apart properly, ...
Not that I've tried this to confirm the behavior, but it can't be good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe this is the case. All matching stanza rules in props.conf are applied to events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest you avoid doing this, but either:
- Put it at the top of the props.conf file
- Apply it to
[source::...]
What are you trying to do with a global transform that you can't do with a more specific source, sourcetype, or host pattern match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A transform to pull information from a hostname and add fields accordingly (where the entire company conforms to a naming convention) would be useful for this as well, so it applies to all data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what he is doing but I am trying to mask out credit card numbers no matter where they appear in any log.
Putting it at the top of the file works for me.
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
