Props and transforms: Order of execution of transf...

koshyk · ‎05-10-2017

AS per props.conf documentation

Use a comma-separated list to apply multiple transform stanzas to a single

TRANSFORMS extraction. Splunk applies them in the list order. For example,
this sequence ensures that the [yellow] transform stanza gets applied
first, then [blue], and then [red]:
[source::color_logs]
TRANSFORMS-colorchange = yellow, blue, red

But I have an issue whereby I cannot put all the 3 transforms in single stanza.

 [source::color_logs] # say this assigns a yellow_colored_logs  sourcetype
TRANSFORMS-colorchange = yellow
[yellow_colored_logs]
TRANSFORMS-zcolorchange = blue,red

Will the above order work? So basically my question is will splunk handle transforms on serial order if I put in multiple stanza?

gcusello · ‎05-10-2017

Hi koshyk,
I suggest to use one method to transform your logs (e.g. sourcetypes)

[yellow_colored_logs]
 TRANSFORMS-zcolorchange1 = blue,red
[red_colored_logs]
 TRANSFORMS-zcolorchange2 = blue,yellow
[blue_colored_logs]
 TRANSFORMS-zcolorchange3 = red,yellow

testing order.

Bye.
Giuseppe

koshyk · ‎05-11-2017

@cusello thanks for that. I will test and let you know. Meantime, I will upvote and if its successful I will mark as answer

Props and transforms: Order of execution of transforms for multiple stanza?

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!