Getting Data In

Multiple Transforms Stanzas Inside One Props Stanza - Limit?

aferone
Builder

Here is my current props.conf stanza for UDP:514 syslog traffic. I am sending this traffic to multple indexes using transforms.conf

props.conf:

[syslog]
TRANSFORMS-index = Stan1, Stan2, Stan3

transforms.conf

[Stan1]
SOURCE_KEY = MetaData:Host
REGEX = (host1|host2|host3)\.domain\.here\.com
DEST_KEY = _MetaData:Index
FORMAT = index1

[Stan2]
SOURCE_KEY = MetaData:Host
REGEX = (host4|host5|host6)\.domain\.here\.com
DEST_KEY = _MetaData:Index
FORMAT = index2

[Stan3]
SOURCE_KEY = MetaData:Host
REGEX = (host7|host8|host9)\.domain\.here\.com
DEST_KEY = _MetaData:Index
FORMAT = index3

This seems to work just fine. However, I am now trying to add a 4th reference to a stanza in props.conf under syslog. When I do this, and add the appropriate stanza in transforms.conf, all of the syslog ends up in one index, and it doesn't seem to be consistent when I restart the Heavy Forwarder.

Is there a limit to how many stanzas I can reference in transforms.conf from one stanza in props.conf [syslog]?

Thanks!

0 Karma

arunsunny
Path Finder

Hi All,

Facing few challlenges, mine is playing around with the same transforms.

I'm trying to achieve the same source data to forward to two different logical indexes and two different indexes groups.

Below is my senrio.

In props.conf used

[source::Dual_Data_Testing]
TRANSFORMS-source = Stan1, Stan2

In transforms.conf

[Stan1]
SOURCE_KEY = MetaData:Source
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = Index1
DEST_KEY = _TCP_ROUTING
FORMAT = IndexerGroup1

[Stan2]
SOURCE_KEY = MetaData:Source
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = Index2
DEST_KEY = _TCP_ROUTING
FORMAT = IndexerGroup2

Currently the above conf is not working.

Please any suggestion can we workaround for this ?

Thanks,
Arun Sunny

0 Karma

aferone
Builder

The 4th one is just basically a continuation:

[Stan4]
SOURCE_KEY = MetaData:Host
REGEX = (host10|host11|host12).domain.here.com
DEST_KEY = _MetaData:Index
FORMAT = index4

0 Karma

lukejadamec
Super Champion

What is the fourth stanza? It must be grabbing them all some how.

0 Karma

_d_
Splunk Employee
Splunk Employee

No, there is no limit. Well, I suppose there is a limit for everything, but in this case it's certainly not 4.

aferone
Builder

Is the way I'm trying to do it a common approach?

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...