Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Apply multiple transforms to a single host

timbCFCA
Path Finder
‎12-19-2017 12:17 PM

How can I have multiple host stanzas in transforms.conf all be applied? I'd like to pull content out of some entries and discard others.

For example both of these work independently. I want these transforms applied to specific source types on specific hosts.

transforms.conf

[host::MYSERVER]
SOURCE_KEY = _raw
REGEX = (?sm)(.*)This event is generated
DEST_KEY = _raw
FORMAT = $1

[host::MYSERVER]
SOURCE_KEY = _raw
REGEX = (?sm)smsexec
DEST_KEY = queue
FORMAT = nullQueue

props.conf

[WinEventLog:Security]
TRANSFORMS-windows_null3 = windows_null3,host::PATCHES
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎12-19-2017 01:05 PM

You're going to need both props.conf and transforms.conf entry for your event filtering. Have a look at this.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Keep_specific_...

0 Karma
Reply

timbCFCA
Path Finder
‎12-19-2017 01:10 PM

I'm aware of needing to use props.conf in order to apply my transform. How does this answer apply to how to apply multiple host stanzas?

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎12-19-2017 01:46 PM

If you want to apply same filtering transforms to multiple hosts, you can create props.conf entry for each of the host, applying same TRANSFORMS stanza. Also if you hosts follow some sort of pattern, you can use wildcard in props.conf stanza name.

0 Karma
Reply

timbCFCA
Path Finder
‎12-19-2017 01:53 PM

Thanks. I want to have multiple transforms applied to the same host, not apply the same transform to multiple hosts.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎12-19-2017 02:12 PM

Give this a try. The transforms are applied from right to left of the list provided in props.conf.

props.conf

[host::MYSERVER]
TRANSFORMS-set= setnull,clean_raw_data

transforms.conf

[clean_raw_data]
 SOURCE_KEY = _raw
 REGEX = (?sm)(.*)This event is generated
 DEST_KEY = _raw
 FORMAT = $1

 [setnull]
 SOURCE_KEY = _raw
 REGEX = (?sm)smsexec
 DEST_KEY = queue
 FORMAT = nullQueue
0 Karma
Reply

timbCFCA
Path Finder
‎12-19-2017 02:31 PM

That looks promising. I also only want to apply these transforms for a specific source type. 

[WinEventLog:Security]
TRANSFORMS-windows_null3 = windows_null3,host::MYSERVER
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...