Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can I use props/transform to make MULTIPLE changes to the same event from a log?

daniel333
Builder
‎02-09-2018 12:27 PM

All,

Can I use props/transform to make MULTIPLE changes to the same event from a log?

Lets say I have an app log, with a lot going on. I have a certain subset of logs I need to move to a compliance index and change the sourcetype and do a little clean up.

if (event = hello world) then
change sourcetype to "myxactdata"
change index to "compliance"
SED away credit card

I can anyone of these to work, but not all three at once. What's the trick here?

0 Karma
Reply

micahkemp
Champion
‎02-09-2018 12:37 PM

Once an event is in the parsing queue, changing its sourcetype will not result in the new sourcetype's props/transforms being run on it.

There is a way to do what you're looking for with CLONE_SOURCETYPE. Basically you would clone the hello world event into the sourcetype myxactdata, then drop the event of the original sourcetype. The new sourcetype would have its props/transforms run, so you could change index and use SEDCMD for that sourcetype.

Or, you could use the same REGEX you used to determine you wanted to change the sourcetype to not only change the sourcetype, but also the index, and also run a TRANSFORM on it at index time to accomplish what your SEDCMD did (DEST_KEY = _raw to rewrite _raw).

Edit:

Perhaps your question didn't indicate you were trying to change the sourcetype and use the new sourcetype's props/transforms to perform the extra steps. You can definitely perform multiple index time operations on an event, but make sure the order of operations isn't getting in the way.

For instance, if you use SEDCMD, does your REGEX to set the sourcetype/index no longer match?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...