Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to work with transforms.conf
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to work with transforms.conf
sarit_s
Communicator
01-22-2024
07:11 AM
Hello
I have few services that today sends data some index via code.
We are going to remove this index and create new one but cannot change the code so i want to change the point with transforms.conf + props.conf using regex that extract the service name from source field and the environment from _raw
this is my transforms.conf file :
[service_extraction]
SOURCE_KEY = source
REGEX = \/var\/log\/pods\/(.+?)_
FORMAT = complaince_int_front::@service_$environment
DEST_KEY = _MetaData:Index
LOOKAHEAD = 40000
[environment_extraction]
SOURCE_KEY = sourcetype::kube:container:mockapiservice
REGEX = "Region":"(.+?)"
FORMAT = complaince_int_front::@service_$1
DEST_KEY = _MetaData:Index
LOOKAHEAD = 40000i guess i did something wrong since its not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
datadevops
Path Finder
01-28-2024
02:50 AM
Hi there,
Here's a breakdown of potential issues and solutions:
1. Regex Accuracy:
- Double-check that the regular expressions (REGEX) accurately match your expected data patterns. Test them thoroughly using online regex testers or Splunk's rex command.
- Ensure the source and sourcetype fields contain the correct values for extraction.
2. FORMAT Order:
- The FORMAT field should use $1 to reference the first captured group from the regex, not $environment. Here's the corrected format:
FORMAT = complaince_int_front::@service_$1
3. Transform Order:
- If both transforms are applied to the same data, consider their order. The environment_extraction transform might overwrite the service_extraction if it runs first. Adjust the order in transforms.conf if needed.
4. props.conf:
- Verify that props.conf correctly sets the _MetaData:Index field for indexing.
5. Troubleshooting Steps:
- Review Logs: Examine Splunk's internal logs for errors or warnings related to transforms.
- Test with Sample Data: Isolate issues by manually running transforms on sample data using the | command.
- Enable Debugging: Set DEBUG = true in [transforms] for detailed logging.
Additional Tips:
- Consider using Splunk's indextime command for more flexible index-time transformations.
- Consult Splunk's documentation for in-depth guidance on transforms and regular expressions.
Remember:
- Test changes thoroughly in a non-production environment before deploying to production.
- Regularly review and update transforms to ensure they align with evolving data patterns.
~ If the reply helps, a Karma upvote would be appreciated
Get Updates on the Splunk Community!
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Feel the Splunk Love: Real Stories from Real Customers
Hello Splunk Community,
What’s the best part of hearing how our customers use Splunk? Easy: the positive ...
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
