Getting Data In

how to write the props.conf stanze to test the transforms Regex?

pavanae
Builder

The following is transforms.conf in my search head

[a_b]
SOURCE_KEY = _meta
REGEX = (logtype::A.*(id::(123|456)|(id::789.*username!::[a-zA-Z]{2,3}-+.*?-ZLX))
DEST_KEY = _ghi
FORMAT = KLMN

Now how to write my props.conf in order to test the REGEX in the above transforms.conf works. Especially I would like to see if the id=789 and username not equall to the string that ends with -ZLX?

0 Karma
1 Solution

p_gurav
Champion

To props.conf, add the following lines:

[<sourcetype_name>]
TRANSFORMS-<class> = a_b

View solution in original post

0 Karma

woodcock
Esteemed Legend

Why are you using SOURCE_KEY = _meta? What do you think that your REGEX will match (and have you tested it with a tool like http://www.RegEx101.com)?

0 Karma

p_gurav
Champion

To props.conf, add the following lines:

[<sourcetype_name>]
TRANSFORMS-<class> = a_b
0 Karma

pavanae
Builder

Thanks @p_gurav. what does line 2 means. What should I specify there?

0 Karma

woodcock
Esteemed Legend

The <class> is fully arbitrary and the only requirement is that it must be unique across all configuration settings so do not pick a common/simple string.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...