Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- What happens if "DEST_KEY = MetaData:Host"?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May I know the answers for the below questions.
what happens if DEST_KEY = MetaData:Host? Does the Host metadata replaced by new one?.
what happens if DEST_KEY = _raw? Does the entire _raw replaced?
what is default DEST_KEY?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the documentation on the keys in transforms.conf
And here are the specific answers to your questions:
If DEST_KEY = MetaData:Host, then the FORMAT must be supplied in the form FORMAT=host::newName where newName is the new value for the host field.
If DEST_KEY = _raw, the entire raw data of the event is replaced with the contents of the FORMAT
There is no default DEST_KEY, but DEST_KEY is not required for all types of transforms.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the documentation on the keys in transforms.conf
And here are the specific answers to your questions:
If DEST_KEY = MetaData:Host, then the FORMAT must be supplied in the form FORMAT=host::newName where newName is the new value for the host field.
If DEST_KEY = _raw, the entire raw data of the event is replaced with the contents of the FORMAT
There is no default DEST_KEY, but DEST_KEY is not required for all types of transforms.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ankithreddy777 DEST_KEY = _raw is generally used for masking the sensitive data (card numbers, PINs or IP addresses) which comes in _raw
This is supplemented with REGEX = (your regex e.g. to extract PIN) - for values which you want to mask in your raw data
and
FORMAT = $1PIN=####$2 masking the 4 digit PIN with 4 hashes.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
