How do I setup a field extract, field transform to...

bliss989 · ‎11-04-2014

I am struggling with the relationship between the field extract and the field transformation with regards to sourcetype.
Given a basic line: Nov 1 host service[1001]
I would like to take this and assign it the sourcetype "service"
index is john
sourcetype is john_service

props.conf

[john] 
TRANSFORM-sourcetype = john_service

transforms.conf:

[john_service]
REGEX =\s(\w+)\[
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::john_service

The initial input gets set to: index=john, sourcetype=john

tskinnerivsec · ‎11-04-2014

Stanzas in props.conf are typically tied to sourcetype. So, once you assign an event to a source type, you would be able to use props.conf to write a field extraction. If you are just renaming a field by using a FIELDALIAS, you can configure it all in props.conf.

If you are creating field names via regex, or working with key/value pairs and need to define a header row, you will also need to use transforms.conf as well.

somesoni2 · ‎11-04-2014

Please provide you inputs.conf entry for this log to know the index and sourcetype initially used and some real sample logs.

How do I setup a field extract, field transform to change sourcetype?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation