Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to override field with transforms.conf?

rafadvega
Path Finder
‎05-25-2023 02:40 PM

I have a sourcetype with events like:

 

 

fieldname.field1=value1,fieldname.field2=value1 value2 value3 value4,fieldname.field3=value1

 

 

To extract the fields, I use the following transformation which works correctly:

 

 

[extract_key_value]
FORMAT = $1::$2
REGEX = fieldname.([^=]+)=([^\,]+)

 

 

The field2, I want to convert it into a multivalue field by splitting it on spaces. If I do the following, it works correctly:

 

 

[field2]
SOURCE_KEY = field2
MV_ADD = 1
FORMAT = field_test::$1
REGEX = ([^\s]+):

 

 

However, if I try to overwrite the field, it doesn't work.

 

 

[field2]
SOURCE_KEY = field2
MV_ADD = 1
FORMAT = field2::$1
REGEX = ([^\s]+):

 

 

What could be my mistake?
Thank you in advance


PD:

My props.conf:

 

 

[mysourcetype]
KV_MODE = None
REPORT-extract_key_value = extract_key_value
REPORT-extract_mv_fields = field2
SHOULD_LINEMERGE = false

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rafadvega
Path Finder
‎05-26-2023 03:35 AM

I have found an alternative way using FIELDALIAS. If there is a better way to do it, I appreciate the help:

props.conf:

[mysourcetype]
FIELDALIAS-field2_mv_as_field2= field2_mv AS field2
KV_MODE = None
REPORT-extract_key_value = extract_key_value
REPORT-extract_mv_fields = field2
SHOULD_LINEMERGE = false

 transforms.conf

[extract_key_value]
FORMAT = $1::$2
REGEX = fieldname.([^=]+)=([^\,]+)

[field2]
SOURCE_KEY = field2
MV_ADD = 1
FORMAT = field2_mv::$1
REGEX = ([^\s]+):

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎05-26-2023 04:16 AM

Hi

This is quite interesting case ,-) Obviously at least docs needs information that you cannot use fieldX as target. You should leave note on docs about this.

Another way to do this is follow The sequence of search-time operations which shows the order of applied actions and select how you can get work around for this.

Another way to do this is use calculated field.

Add this to your sourcetype definition. This can do via conf file or via GUI

[mysourcetype]
REPORT-extract_key_value = extract_key_value
EVAL-field2 = split(field2, " ")

 and keep your transformation as earlier

[extract_key_value]
FORMAT = $1::$2
REGEX = fieldname.([^=]+)=([^\,]+)

This way there shouldn't any additional fields on your field list.

r. Ismo

0 Karma
Reply
Solved! Jump to solution
Solution

rafadvega
Path Finder
‎05-26-2023 03:35 AM

I have found an alternative way using FIELDALIAS. If there is a better way to do it, I appreciate the help:

props.conf:

[mysourcetype]
FIELDALIAS-field2_mv_as_field2= field2_mv AS field2
KV_MODE = None
REPORT-extract_key_value = extract_key_value
REPORT-extract_mv_fields = field2
SHOULD_LINEMERGE = false

 transforms.conf

[extract_key_value]
FORMAT = $1::$2
REGEX = fieldname.([^=]+)=([^\,]+)

[field2]
SOURCE_KEY = field2
MV_ADD = 1
FORMAT = field2_mv::$1
REGEX = ([^\s]+):
0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
Top