Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you apply transforms to all events meant for a specific index?

ricotries
Communicator
‎05-23-2020 01:38 PM

In my testing environment I have three main indexes that are specific to the data stored within them. I want to change the host value of all events by appending a string at the end of the host at index time (similar to a domain name, as an example) and I know how to do this with the props-transforms configuration, but I can only do it based on sourcetype, host, or source. Is there a way to do the same thing but based on index?

For example, 

index1: host -> host.test1, something -> something.test1
index2: tmp -> tmp.test2
index3: hello -> hello.test3

I know how to do this based on the host field, for example:
Props.conf

[host::*]
TRANSFORMS-appendname = append_name

Transforms.conf

[append_name]
SOURCE_KEY = MetaData:Host
REGEX = (.*)
FORMAT = $1.test
DEST_KEY = MetaData:Host

And in this case, every host that forwards logs to my indexer would have their events stored as 

host = hostname.test

How do I do the same thing but based on the target index?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-23-2020 02:26 PM

transforms.conf

 [append_name]
 INGEST_EVAL = host=case(index="index1", host.".test1", index="index2", host.".test2", index="index3", host.".test3", true(), host)
 WRITE_META = true

INGEST_EVAL can be used as eval
How about this?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-23-2020 02:26 PM

transforms.conf

 [append_name]
 INGEST_EVAL = host=case(index="index1", host.".test1", index="index2", host.".test2", index="index3", host.".test3", true(), host)
 WRITE_META = true

INGEST_EVAL can be used as eval
How about this?

0 Karma
Reply
Solved! Jump to solution

ricotries
Communicator
‎05-23-2020 03:16 PM

I was not aware of that setting. Because it works exactly like eval you can do the following then:

[append_name]
INGEST_EVAL = host=case(index="index1", host.".test1", index="index2", host.".test2", index="index3", host.".test3", true(), host)
WRITE_META = true

Take note that to concatenate the host value and a string you have to type a period before the string.

host."<string>" = host<string>
host.".<string>" = host.<string>

If you change your answer with the revised working (I tested it) eval declaration, I'll accept it.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎05-23-2020 03:20 PM

I see, My answer is updated.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...