Getting Data In

What is function of DEST_KEY in transforms.conf

ankithreddy777
Contributor

I am little bit confused by the explanation given for DEST_KEY IN TRANSFORMS.CONF. May I know what is the exact function of it.

1 Solution

skalliger
SplunkTrust
SplunkTrust

There are two options: Field extractions at indexing time or at search time (e.g. CIM compliance).
You can define extractions using RegEx in the transforms.conf at indexing time (e.g. using a heavy forwarder). To do so, you can specify the DEST_KEY after a RegEx to determine where to store your data.

Skalli

Edit: Ah, too slow. 🙂

View solution in original post

woodcock
Esteemed Legend

You should pick the best answer and click Accept.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@ankithreddy777 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

skalliger
SplunkTrust
SplunkTrust

There are two options: Field extractions at indexing time or at search time (e.g. CIM compliance).
You can define extractions using RegEx in the transforms.conf at indexing time (e.g. using a heavy forwarder). To do so, you can specify the DEST_KEY after a RegEx to determine where to store your data.

Skalli

Edit: Ah, too slow. 🙂

gcusello
Legend

Hi ankithreddy777,
see https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Transformsconf

DEST_KEY specifies where Splunk stores the expanded FORMAT results in accordance with the REGEX match.

Bye.
Giuseppe

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!