May I know the answers for the below questions.
what happens if DEST_KEY = MetaData:Host? Does the Host metadata replaced by new one?.
what happens if DEST_KEY = _raw? Does the entire _raw replaced?
what is default DEST_KEY?
Here is the documentation on the keys in transforms.conf
And here are the specific answers to your questions:
If DEST_KEY = MetaData:Host, then the FORMAT must be supplied in the form FORMAT=host::newName where newName is the new value for the host field.
If DEST_KEY = _raw, the entire raw data of the event is replaced with the contents of the FORMAT
There is no default DEST_KEY, but DEST_KEY is not required for all types of transforms.
View solution in original post
@ankithreddy777 DEST_KEY = _raw is generally used for masking the sensitive data (card numbers, PINs or IP addresses) which comes in _raw
DEST_KEY = _raw
This is supplemented with REGEX = (your regex e.g. to extract PIN) - for values which you want to mask in your raw data
FORMAT = $1PIN=####$2 masking the 4 digit PIN with 4 hashes.