Hi there,

Here's a breakdown of potential issues and solutions:

1. Regex Accuracy:

• Double-check that the regular expressions (REGEX) accurately match your expected data patterns. Test them thoroughly using online regex testers or Splunk's rex command.
• Ensure the source and sourcetype fields contain the correct values for extraction.

2. FORMAT Order:

• The FORMAT field should use $1 to reference the first captured group from the regex, not $environment. Here's the corrected format:

FORMAT = complaince_int_front::@service_$1

3. Transform Order:

• If both transforms are applied to the same data, consider their order. The environment_extraction transform might overwrite the service_extraction if it runs first. Adjust the order in transforms.conf if needed.

4. props.conf:

• Verify that props.conf correctly sets the _MetaData:Index field for indexing.

5. Troubleshooting Steps:

• Review Logs: Examine Splunk's internal logs for errors or warnings related to transforms.
• Test with Sample Data: Isolate issues by manually running transforms on sample data using the | command.
• Enable Debugging: Set DEBUG = true in [transforms] for detailed logging.

Additional Tips:

• Consider using Splunk's indextime command for more flexible index-time transformations.
• Consult Splunk's documentation for in-depth guidance on transforms and regular expressions.

Remember:

• Test changes thoroughly in a non-production environment before deploying to production.
• Regularly review and update transforms to ensure they align with evolving data patterns.

~ If the reply helps, a Karma upvote would be appreciated