Getting Data In

What happens if "DEST_KEY = MetaData:Host"?

ankithreddy777
Contributor

May I know the answers for the below questions.

what happens if DEST_KEY = MetaData:Host? Does the Host metadata replaced by new one?.
what happens if DEST_KEY = _raw? Does the entire _raw replaced?
what is default DEST_KEY?

1 Solution

lguinn2
Legend

Here is the documentation on the keys in transforms.conf
And here are the specific answers to your questions:

If DEST_KEY = MetaData:Host, then the FORMAT must be supplied in the form FORMAT=host::newName where newName is the new value for the host field.

If DEST_KEY = _raw, the entire raw data of the event is replaced with the contents of the FORMAT

There is no default DEST_KEY, but DEST_KEY is not required for all types of transforms.

View solution in original post

lguinn2
Legend

Here is the documentation on the keys in transforms.conf
And here are the specific answers to your questions:

If DEST_KEY = MetaData:Host, then the FORMAT must be supplied in the form FORMAT=host::newName where newName is the new value for the host field.

If DEST_KEY = _raw, the entire raw data of the event is replaced with the contents of the FORMAT

There is no default DEST_KEY, but DEST_KEY is not required for all types of transforms.

saurabh_tek11
Communicator

@ankithreddy777 DEST_KEY = _raw is generally used for masking the sensitive data (card numbers, PINs or IP addresses) which comes in _raw

This is supplemented with REGEX = (your regex e.g. to extract PIN) - for values which you want to mask in your raw data
and
FORMAT = $1PIN=####$2 masking the 4 digit PIN with 4 hashes.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...