Re: Transforms not replacing original value

thard_splunk · ‎06-08-2017

Hello,

I have a CSV in which I am attempting to shorten a 128 character string down to the last 8 characters. I used the following configuration in transforms/props:

props.conf:

[taxi_csv]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
pulldown_type = true
description = Comma-separated value format. Set header and other settings in "D$
TIMESTAMP_FIELDS = Trip Start Timestamp
TZ = America/Chicago
TRANSFORM-mask = taxiMask

transforms.conf:

[taxiMask]
REGEX = (\w{120})(\w{8})
FORMAT = "Taxi ID"::$2
WRITE_META = true
SOURCE_KEY = field:"Taxi ID"
DEST_KEY = _raw

However, the resulting indexed data contains both the original string and the shortened string as two separate values in the same field. What configuration change can I make to replace the original value with the shortened string?

Thanks!

somesoni2 · ‎06-08-2017

Try this for your transforms.conf entry

[taxiMask]
REGEX = (?m)^(.*)(\w{120})(\w{8})(.*)$
FORMAT = $1$3$4
DEST_KEY = _raw

Transforms not replacing original value

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Transforms not replacing original value

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases