Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I use props/transform to make MULTIPLE changes to the same event from a log?

daniel333
Builder
‎02-09-2018 12:27 PM

All,

Can I use props/transform to make MULTIPLE changes to the same event from a log?

Lets say I have an app log, with a lot going on. I have a certain subset of logs I need to move to a compliance index and change the sourcetype and do a little clean up.

if (event = hello world) then
change sourcetype to "myxactdata"
change index to "compliance"
SED away credit card

I can anyone of these to work, but not all three at once. What's the trick here?

0 Karma
Reply

micahkemp
Champion
‎02-09-2018 12:37 PM

Once an event is in the parsing queue, changing its sourcetype will not result in the new sourcetype's props/transforms being run on it.

There is a way to do what you're looking for with CLONE_SOURCETYPE. Basically you would clone the hello world event into the sourcetype myxactdata, then drop the event of the original sourcetype. The new sourcetype would have its props/transforms run, so you could change index and use SEDCMD for that sourcetype.

Or, you could use the same REGEX you used to determine you wanted to change the sourcetype to not only change the sourcetype, but also the index, and also run a TRANSFORM on it at index time to accomplish what your SEDCMD did (DEST_KEY = _raw to rewrite _raw).

Edit:

Perhaps your question didn't indicate you were trying to change the sourcetype and use the new sourcetype's props/transforms to perform the extra steps. You can definitely perform multiple index time operations on an event, but make sure the order of operations isn't getting in the way.

For instance, if you use SEDCMD, does your REGEX to set the sourcetype/index no longer match?

Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...