How do I setup a field extract, field transform to...

bliss989 · ‎11-04-2014

I am struggling with the relationship between the field extract and the field transformation with regards to sourcetype.
Given a basic line: Nov 1 host service[1001]
I would like to take this and assign it the sourcetype "service"
index is john
sourcetype is john_service

props.conf

[john] 
TRANSFORM-sourcetype = john_service

transforms.conf:

[john_service]
REGEX =\s(\w+)\[
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::john_service

The initial input gets set to: index=john, sourcetype=john

tskinnerivsec · ‎11-04-2014

Stanzas in props.conf are typically tied to sourcetype. So, once you assign an event to a source type, you would be able to use props.conf to write a field extraction. If you are just renaming a field by using a FIELDALIAS, you can configure it all in props.conf.

If you are creating field names via regex, or working with key/value pairs and need to define a header row, you will also need to use transforms.conf as well.

somesoni2 · ‎11-04-2014

Please provide you inputs.conf entry for this log to know the index and sourcetype initially used and some real sample logs.

How do I setup a field extract, field transform to change sourcetype?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms