Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I override two keys in one transforms stanza?

lyndac
Contributor
‎04-05-2016 08:46 AM

My current situation is that a bunch of files are all being dumped into one directory for the forwarder to monitor and send to the indexers. Based on a field in the data, I route the events to different indexes. These are the current props.conf and transforms.conf which are working.

props.conf:

[json_input]
MAX_TIMESTAMP_LOOKAHEAD=30
...
TRANSFORMS-override-ldc=override-ldc
TRANSFORMS-override-jrc=override-jrc

transforms.conf:

    [override-ldc]
    SOURCE_KEY=_raw
    DEST_KEY=_MetaData:Index
    REGEX=fieldname\"\s*:\s*\"LDC.*
    FORMAT=foo_ldc

    [override-jrc]
    SOURCE_KEY=_raw
    DEST_KEY=_MetaData:Index
    REGEX=fieldname\"\s*:\s*\"JRC.*
    FORMAT=foo_jrc

I also need to override the value for the source field based on the exact same REGEX. Can I use the same transforms stanza to update 2 metadata fields, or do I need to have a second transform which uses the same REGEX but overrides source rather than index?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-05-2016 09:06 AM

Your transforms.conf is fine but use this props.conf:

[json_input]
MAX_TIMESTAMP_LOOKAHEAD=30
TRANSFORMS-override-index = override-ldc, override-jrc

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-05-2016 09:11 AM

You would've to add different transforms stanza to override Index and source as the DEST_KEY accepts only single fields.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-05-2016 09:06 AM

Your transforms.conf is fine but use this props.conf:

[json_input]
MAX_TIMESTAMP_LOOKAHEAD=30
TRANSFORMS-override-index = override-ldc, override-jrc
0 Karma
Reply
Solved! Jump to solution

lyndac
Contributor
‎04-05-2016 10:55 AM

So by listing the tranforms in one line, does that impact the way splunk executes the transforms? Is there a performance impact? I guess I'm asking why one line instead of two?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-05-2016 11:06 AM

Only very slight improvement but it is better because it is most clear/correct. You can also more easily control which one comes first by the order in the list.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...