Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to write the props.conf stanze to test the tra...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-27-2019
03:25 PM
The following is transforms.conf in my search head
[a_b]
SOURCE_KEY = _meta
REGEX = (logtype::A.*(id::(123|456)|(id::789.*username!::[a-zA-Z]{2,3}-+.*?-ZLX))
DEST_KEY = _ghi
FORMAT = KLMN
Now how to write my props.conf in order to test the REGEX in the above transforms.conf works. Especially I would like to see if the id=789 and username not equall to the string that ends with -ZLX?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
08-28-2019
01:30 AM
To props.conf, add the following lines:
[<sourcetype_name>]
TRANSFORMS-<class> = a_b
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-01-2019
01:16 PM
Why are you using SOURCE_KEY = _meta? What do you think that your REGEX will match (and have you tested it with a tool like http://www.RegEx101.com)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
08-28-2019
01:30 AM
To props.conf, add the following lines:
[<sourcetype_name>]
TRANSFORMS-<class> = a_b
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-28-2019
07:52 AM
Thanks @p_gurav. what does line 2 means. What should I specify there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-01-2019
01:15 PM
The <class> is fully arbitrary and the only requirement is that it must be unique across all configuration settings so do not pick a common/simple string.
Get Updates on the Splunk Community!
What the End of Support for Splunk Add-on Builder Means for You
Hello Splunk Community!
We want to share an important update regarding the future of the Splunk Add-on Builder ...
Solve, Learn, Repeat: New Puzzle Channel Now Live
Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
