All Apps and Add-ons

[addon]How can search events using source field after they have been transformed?

emily12234
Explorer

 

Hi all

I have an addon plugin that utilizes REST API to obtain specific logs; each generated event has fixed values for both source and sourcetype.

Now there are customers who use props.conf and transforms.conf that will change the value of the source according to a particular column within an event; for instance, if the service is 'a', then the source changes to 'service_a'; if service is 'b' then it changes to 'service_b'.

The current problem is that obtaining logs works fine, and content can always be found using sourcetype. But when using transformed source to search, events cannot be found even though events with 'service_a' and 'service_b' are visible.

 

How should I adjust the addon or how should I configure local settings so that I can search using source?

 

Regards

Emily

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...