Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Overwrites to multiple indexed fields possible in one transforms.conf stanza?

Runals
Motivator
‎09-27-2012 05:34 PM

We have some syslog feeds coming directly into an indexer. While this will eventually get addressed with forwarders I'd like to overwrite both the source and host indexed fields.
The forwarded syslogs looke like the following:

timestamp Forwarded from IP_address: whatever blah blah blah

and we are capturing the forwared from IP address in the following stanza

[forwarded]
DEST_KEY = MetaData:Host
REGEX = Forwarded\sfrom\s([^: ]+):
FORMAT = host::$1

Since I'd like to also grab the "whatever" and put it into the source field I'm wondering if I need to do that with a separate stanza in the transforms.conf file or if it can be included in the existing one. If it does require a second stanza in transforms can I call that from a second line in the props.conf stanza? For example

props.conf
[source blah]
TRANSFORMS-1=forwared
TRANSFORMS-2=forwared2

transforms.conf
[forwarded]
--as above--

[forwarded2]
DEST_KEY = MetaData:Source
REGEX = Forwarded\sfrom\s\d+\.\d+\.\d+\.\d+: (\S+)
FORMAT = source::$1

Have I overlooked anything?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-27-2012 08:15 PM

Because of needing to set DEST_KEY, I think your second approach with two different TRANSFORMS-xxx rules in props is the proper configuration.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-27-2012 08:15 PM

Because of needing to set DEST_KEY, I think your second approach with two different TRANSFORMS-xxx rules in props is the proper configuration.

0 Karma
Reply
Solved! Jump to solution

Runals
Motivator
‎09-28-2012 08:01 AM

That was my thought/concern as well. Came into work this morning and added a second transforms call in the props and it did the trick. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...