Solved: Field names in lowercase, transforms.conf - Page 2

gelica · ‎07-19-2013

Hi!

I have some different sourcetypes defined by me where I'm extracting some of the fields with stanzas in transforms.conf at search time (I'm using REPORT in props.conf). Here is one example of a stanza I'm using:

REGEX=(?im)[\r\n]+([^\r\n]*name)\: ([^\r\n]+)
FORMAT=$1::$2
MV_ADD=true

This extracts the fields I want, but since I extract the field name like this, the field name may be in uppercase, lowercase or a combination.

Creating new stanzas for each field is not an option since I have a lot of fields and most of my stanzas are of the form shown above, where I just define the ending of the field name, to be able to extract most of them.

I wonder if there is any way to "force" the field names to lowercase?

grijhwani · ‎07-21-2013

If you look at the answer to a slightly different question (Dealing with key/value pairs with inconsistent key case) the solution is, perhaps, to pre-process the log stream at input time to convert to lower case with sed commands.

View solution in original post

Field names in lowercase, transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation