Getting Data In

Understanding the relationship between props.conf and transforms.con

Path Finder

I am setting up a specific forwarder to monitor a log file that generates logs for multiple cases, but I only care about one, so I decided to filter the logs when they reach the server by utilizing the combination of nullQueue and indexQueue, in that order, to only retain the logs that matter to me.

What I don't understand in the props.conf is the purpose of

[source::<source>]
TRANSFORMS-<class> = <stanza_name>, etc.

What is the class in that entry? Can it be anything I want, should it tie to what the transform will do or does it have to be related to the stanzas I'll be calling? I read the "Route and filter data" page and I get the general idea, I just don't understand how to tie in the props.conf the configuration set in transforms.conf

1 Solution

SplunkTrust
SplunkTrust

Hi ricotries,

What is the class in that entry?

Can it be anything I want, should it tie
to what the transform will do or does
it have to be related to the stanzas
I'll be calling?

The class entry needs to be a uniq value that can be set to anything you want, there is no relation to the actual transforms.conf stanza you call. Usually I do something like this :

[source::<source>]
TRANSFORMS-001-ThisIsMyStanzaName = ThisIsMyStanzaName

But it can also be something like this:

[source::<source>]
TRANSFORMS-PleaseCallThisStanzaInTransforms = ThisIsMyStanzaName

Hope this makes sense and helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi ricotries,

What is the class in that entry?

Can it be anything I want, should it tie
to what the transform will do or does
it have to be related to the stanzas
I'll be calling?

The class entry needs to be a uniq value that can be set to anything you want, there is no relation to the actual transforms.conf stanza you call. Usually I do something like this :

[source::<source>]
TRANSFORMS-001-ThisIsMyStanzaName = ThisIsMyStanzaName

But it can also be something like this:

[source::<source>]
TRANSFORMS-PleaseCallThisStanzaInTransforms = ThisIsMyStanzaName

Hope this makes sense and helps ...

cheers, MuS

View solution in original post

Communicator

Good point the EXTRACT, REPORT and TRANSFORMS class names must be unique  (i.e TRANSFORMS-abc and TRANSFORMS-xyz and NOT  TRANSFORMS-abc and  TRANSFORMS-abc)

 

 

Path Finder

The class can be called any unique value, does that mean that if used once it shouldn't be used again? If I have two stanzas in props.conf that point to the same stanza in transforms.conf but are applied to two different sources, should I use the same class or use a different one?

Would this be correct or no?

[source::source1]
TRANSFORMS-type1 = stanza1

[source::source2]
TRANSFORMS-type2 = stanza1

SplunkTrust
SplunkTrust

Yes, this is correct. The class is fully arbitrary but needs to be unique per stanza and per field extraction type of TRANSFORMS, REPORT, and EXTRACT.

I hope this does not confuse you more ...

cheers, MuS