Solved: What is function of DEST_KEY in transforms.conf

ankithreddy777 · ‎01-23-2017

I am little bit confused by the explanation given for DEST_KEY IN TRANSFORMS.CONF. May I know what is the exact function of it.

skalliger · ‎01-23-2017

There are two options: Field extractions at indexing time or at search time (e.g. CIM compliance).
You can define extractions using RegEx in the transforms.conf at indexing time (e.g. using a heavy forwarder). To do so, you can specify the DEST_KEY after a RegEx to determine where to store your data.

Skalli

Edit: Ah, too slow. 🙂

View solution in original post

woodcock · ‎01-24-2017

You should pick the best answer and click Accept.

aaraneta_splunk · ‎01-23-2017

@ankithreddy777 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

skalliger · ‎01-23-2017

There are two options: Field extractions at indexing time or at search time (e.g. CIM compliance).
You can define extractions using RegEx in the transforms.conf at indexing time (e.g. using a heavy forwarder). To do so, you can specify the DEST_KEY after a RegEx to determine where to store your data.

Skalli

Edit: Ah, too slow. 🙂

gcusello · ‎01-23-2017

Hi ankithreddy777,
see https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Transformsconf

DEST_KEY specifies where Splunk stores the expanded FORMAT results in accordance with the REGEX match.

Bye.
Giuseppe

What is function of DEST_KEY in transforms.conf

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life