Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field transformation based on source

stefan_radovano
Explorer
‎06-12-2014 02:30 AM

Hi All,

We log data from devices belonging to different customers, they are written to our syslog server in files named /data/log/CUSTOMER/site/router1.log, for example. I wanted to have a search-time field called customer with the value CUSTOMER, taken from the source filename.

I did this via the web GUI, under Settings/Fields/Field Transformation, this is what was written in $SPLUNK_HOME/etc/apps/search/local/transforms.conf:

[get_customer]
FORMAT = customer::$1
REGEX = \/data\/log\/(.*)\/site.*
SOURCE_KEY = MetaData:Source

Unfortunately nothing happens, I get no field named customer when I search. From what I can tell, the regex is correct. I also tried just "source" as SOURCE_KEY but nothing changed. Is anything wrong with my transform ?

I am also not sure how this transform is applied, is it run against log messages arriving via all indexes ?

As additional info, we are running splunk on a separate server (so basically the indexer) and we use a light forwarder on our syslog server. The transform above is done on the indexer.

Thanks,
Stefan

Reply
1 Solution
Solved! Jump to solution
Solution

emechler_splunk
Splunk Employee
Splunk Employee
‎06-13-2014 03:10 PM

In props.conf:

[your_sourcetype]
EXTRACT = \/data\/log\/(?<customer>\w+)\/site.* in source

No need to touch transforms.conf for this.

View solution in original post

Reply
Solved! Jump to solution

stefan_radovano
Explorer
‎06-14-2014 05:37 AM

Yes, I do have that too.

0 Karma
Reply
Solved! Jump to solution
Solution

emechler_splunk
Splunk Employee
Splunk Employee
‎06-13-2014 03:10 PM

In props.conf:

[your_sourcetype]
EXTRACT = \/data\/log\/(?<customer>\w+)\/site.* in source

No need to touch transforms.conf for this.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-14-2014 11:50 AM

You could also just add in source after the end of the field extraction regex when editing it through the UI.

Reply
Solved! Jump to solution

emechler_splunk
Splunk Employee
Splunk Employee
‎06-14-2014 09:41 AM

You can do this in SPL itself:

| extract reload=t

0 Karma
Reply
Solved! Jump to solution

stefan_radovano
Explorer
‎06-14-2014 06:15 AM

I actually tried to do this via GUI (Fields/Field Extraction) but when I chose "source" for "Apply To", it also wanted me to specify which source. I obviously didn't want to restrict it to one particular source, didn't know what to put in there. Was I doing something wrong ?

In any case, this worked. I just had to restart splunk. Is there no way around restarting ?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-13-2014 02:34 PM

Did you specify a REPORT-foo = get_customer entry in props.conf for that sourcetype?

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...