Getting Data In

When should I use Report or Transform on props.conf?

celsohso
Path Finder

When should I use Report and when should I use Transform on the props.conf?

1 Solution

somesoni2
SplunkTrust
SplunkTrust

As per documentation, TRANSFORM is used for creating index time field (a field identified during indexing of data and is saved to index, indexing overhead) and REPORT or EXTRACT is used to create search time field extractions ( fields not saved to index rather extracted at search time).

For more details see props.conf specification from link below (search for section "# Field extraction configuration" on the page)

http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

As per documentation, TRANSFORM is used for creating index time field (a field identified during indexing of data and is saved to index, indexing overhead) and REPORT or EXTRACT is used to create search time field extractions ( fields not saved to index rather extracted at search time).

For more details see props.conf specification from link below (search for section "# Field extraction configuration" on the page)

http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf

somesoni2
SplunkTrust
SplunkTrust

Based on your requirement (data deletion instead of data masking), you should use SEDCMD in props.conf instead of REPORT or TRANSFORM. I have provided an answer in your related question. Have a look at that.

http://answers.splunk.com/answers/148270/transformconf-hide-values-or-make-them-anonymous?page=1&foc...

0 Karma

celsohso
Path Finder

Thanks,
In my case I want to remove this "ORG PRINTER SELECT = Deny, PRIV FILE AOC = Deny, ATTORNEY PORTAL = Deny,..." from my logs, would you be able to tell if that construction for the transform and props have any flaw?

Transforms.conf
[removedeny]
REGEX = ^([A-Za-z0-9\S\s]+\s=\sDeny,)$
FORMAT = $1$2
DEST_KEY = _raw

Props.conf
REPORT-removedeny = removedeny or
Transform-removedeny = removedeny

Thank you for your help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...