My current situation is that a bunch of files are all being dumped into one directory for the forwarder to monitor and send to the indexers. Based on a field in the data, I route the events to different indexes. These are the current props.conf and transforms.conf which are working.
props.conf:
[json_input]
MAX_TIMESTAMP_LOOKAHEAD=30
...
TRANSFORMS-override-ldc=override-ldc
TRANSFORMS-override-jrc=override-jrc
transforms.conf:
[override-ldc]
SOURCE_KEY=_raw
DEST_KEY=_MetaData:Index
REGEX=fieldname\"\s*:\s*\"LDC.*
FORMAT=foo_ldc
[override-jrc]
SOURCE_KEY=_raw
DEST_KEY=_MetaData:Index
REGEX=fieldname\"\s*:\s*\"JRC.*
FORMAT=foo_jrc
I also need to override the value for the source field based on the exact same REGEX. Can I use the same transforms stanza to update 2 metadata fields, or do I need to have a second transform which uses the same REGEX but overrides source rather than index?
Your transforms.conf
is fine but use this props.conf
:
[json_input]
MAX_TIMESTAMP_LOOKAHEAD=30
TRANSFORMS-override-index = override-ldc, override-jrc
You would've to add different transforms stanza to override Index and source as the DEST_KEY accepts only single fields.
Your transforms.conf
is fine but use this props.conf
:
[json_input]
MAX_TIMESTAMP_LOOKAHEAD=30
TRANSFORMS-override-index = override-ldc, override-jrc
So by listing the tranforms in one line, does that impact the way splunk executes the transforms? Is there a performance impact? I guess I'm asking why one line instead of two?
Only very slight improvement but it is better because it is most clear/correct. You can also more easily control which one comes first by the order in the list.