Archive

Is there a comprehensive DEST_KEY list?

Splunk Employee
Splunk Employee

Need a comprehensive list of possible DEST_KEY values.

1 Solution

Splunk Employee
Splunk Employee

See http://www.splunk.com/base/Documentation/4.1.6/Admin/Transformsconf

NOTE: Keys are case-sensitive. Use the following keys exactly as they appear.

queue : Specify which queue to send the event to (can be parsingQueue, nullQueue, indexQueue). _raw : The raw text of the event. _done : If set to any string, this is the last event in a stream. _meta : A space separated list of metadata for an event. _time : The timestamp of the event, in seconds since 1/1/1970 UTC. MetaData:FinalType : The event type of the event.

MetaData:Host : The host associated with the event. The value must be prefixed by "host::"

_MetaData:Index : The index where the event should be stored.

MetaData:Source : The source associated with the event. The value must be prefixed by "source::"

MetaData:Sourcetype : The sourcetype of the event. The value must be prefixed by "sourcetype::"

_TCP_ROUTING : Comma separated list of tcpout group names (from outputs.conf) Defaults to groups present in 'defaultGroup' for [tcpout].

_HTTP_ROUTING

  • NOTE: Any KEY prefixed by '_' is not indexed by Splunk, in general.

Also see transforms.conf.spec

View solution in original post

Splunk Employee
Splunk Employee

See http://www.splunk.com/base/Documentation/4.1.6/Admin/Transformsconf

NOTE: Keys are case-sensitive. Use the following keys exactly as they appear.

queue : Specify which queue to send the event to (can be parsingQueue, nullQueue, indexQueue). _raw : The raw text of the event. _done : If set to any string, this is the last event in a stream. _meta : A space separated list of metadata for an event. _time : The timestamp of the event, in seconds since 1/1/1970 UTC. MetaData:FinalType : The event type of the event.

MetaData:Host : The host associated with the event. The value must be prefixed by "host::"

_MetaData:Index : The index where the event should be stored.

MetaData:Source : The source associated with the event. The value must be prefixed by "source::"

MetaData:Sourcetype : The sourcetype of the event. The value must be prefixed by "sourcetype::"

_TCP_ROUTING : Comma separated list of tcpout group names (from outputs.conf) Defaults to groups present in 'defaultGroup' for [tcpout].

_HTTP_ROUTING

  • NOTE: Any KEY prefixed by '_' is not indexed by Splunk, in general.

Also see transforms.conf.spec

View solution in original post