Getting Data In

Understanding the relationship between props.conf and transforms.con

ricotries
Communicator

I am setting up a specific forwarder to monitor a log file that generates logs for multiple cases, but I only care about one, so I decided to filter the logs when they reach the server by utilizing the combination of nullQueue and indexQueue, in that order, to only retain the logs that matter to me.

What I don't understand in the props.conf is the purpose of

[source::<source>]
TRANSFORMS-<class> = <stanza_name>, etc.

What is the class in that entry? Can it be anything I want, should it tie to what the transform will do or does it have to be related to the stanzas I'll be calling? I read the "Route and filter data" page and I get the general idea, I just don't understand how to tie in the props.conf the configuration set in transforms.conf

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi ricotries,

What is the class in that entry?

Can it be anything I want, should it tie
to what the transform will do or does
it have to be related to the stanzas
I'll be calling?

The class entry needs to be a uniq value that can be set to anything you want, there is no relation to the actual transforms.conf stanza you call. Usually I do something like this :

[source::<source>]
TRANSFORMS-001-ThisIsMyStanzaName = ThisIsMyStanzaName

But it can also be something like this:

[source::<source>]
TRANSFORMS-PleaseCallThisStanzaInTransforms = ThisIsMyStanzaName

Hope this makes sense and helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi ricotries,

What is the class in that entry?

Can it be anything I want, should it tie
to what the transform will do or does
it have to be related to the stanzas
I'll be calling?

The class entry needs to be a uniq value that can be set to anything you want, there is no relation to the actual transforms.conf stanza you call. Usually I do something like this :

[source::<source>]
TRANSFORMS-001-ThisIsMyStanzaName = ThisIsMyStanzaName

But it can also be something like this:

[source::<source>]
TRANSFORMS-PleaseCallThisStanzaInTransforms = ThisIsMyStanzaName

Hope this makes sense and helps ...

cheers, MuS

anwarmian
Communicator

Good point the EXTRACT, REPORT and TRANSFORMS class names must be unique  (i.e TRANSFORMS-abc and TRANSFORMS-xyz and NOT  TRANSFORMS-abc and  TRANSFORMS-abc)

 

 

ricotries
Communicator

The class can be called any unique value, does that mean that if used once it shouldn't be used again? If I have two stanzas in props.conf that point to the same stanza in transforms.conf but are applied to two different sources, should I use the same class or use a different one?

Would this be correct or no?

[source::source1]
TRANSFORMS-type1 = stanza1

[source::source2]
TRANSFORMS-type2 = stanza1

MuS
SplunkTrust
SplunkTrust

Yes, this is correct. The class is fully arbitrary but needs to be unique per stanza and per field extraction type of TRANSFORMS, REPORT, and EXTRACT.

I hope this does not confuse you more ...

cheers, MuS

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...