Multiple regex conditions in transforms.conf

Abha11 · ‎12-06-2021

Hi ,

I have a transforms to send logs from prod hosts to one index and from non prod to other.
Transforms:

[prod]
DEST_KEY = MetaData:Index

REGEX = (.*-prd.*)

FORMAT = index_a

[nonprod]
DEST_KEY = MetaData:Index

REGEX = (.*-nprd.*)

FORMAT = index_b

Above transforms is working fine for all logs from those hosts. But now the problem is I only want it to be applicable to //var/log/messages and //var/log/secure.

any suggestions if I can multiple regex conditions based on host I.e. prd and source path ?

appreciate your help on this 🙂

isoutamo · ‎12-07-2021

Hi

as https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf said you can play REGEX towards _raw or other MetaData fields by using SOURCE_KEY. Based on that approach you probably can apply multiple transforms stanza for one event to achieve your needs. The same technique is usually used when most of data want to put nullQueue and only some events are needed for indexing.

props.conf

TRANSFORM-setProd = trans-1, trans-2prod [, trans-3 ...]
TRANSFORM-setTest = trans-1, trans-2test [, trans-3 ...]

Then in transforms.conf just set all to prod/test (or what is your main target), then based on log source change that to correct environment and if needed do additional transforms. Actually you could leave out trans-2xxx away in that environment.

Important thing (or at least it's easiest to understand and ensure that those are applied in correct order) is put all needed transformations on one entry in props.conf.

r. Ismo