Hi, I am trying to rename a sourcetype based on the source on my indexer within a custom app
so i created props.conf and transforms.conf in %splunkhome%\etc\apps\myapp\default
props.conf
[source::C:\\temp\\MyFile*.csv]
TRANSFORMS-wst=wst-sourcetype
transforms.conf
[wisdom-sourcetype]
DEST_KEY=MetaData:Sourcetype
SOURCE_KEY=MetaData:Source
REGEX=\bMyFile\w+
FORMAT=sourcetype::$1
WRITE_META=true
Any idea why I still get the Sourcetype in csv?
In the FORMAT setting, you use $1, which refers to the first capturing group in the REGEX, but the REGEX does not contain any capturing group.
In the FORMAT setting, you use $1, which refers to the first capturing group in the REGEX, but the REGEX does not contain any capturing group.
Shame on me. For missing the ().
Thanks.
sorry there was a copy and paste error: it should be wst-sourcetype not wisdom-sourcetype in transforms.conf
transforms.conf is
[wst-sourcetype]
DEST_KEY=MetaData:Sourcetype
SOURCE_KEY=MetaData:Source
REGEX=\bMyFile\w+
FORMAT=sourcetype::$1
WRITE_META=true