Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

route and rewrite

caphrim007
Path Finder
‎08-25-2010 06:27 PM

I was wondering if it were possible to do a mask on events in addition to sending them to a separate index.

Since the changes I think I need to make are both in the props and transforms.conf, I'm not thinking this is possible, but figured I'd ask.

I have log entries that have a large amount of text prefixed to them (they are event sentry logs) and so I was going to use a transforms.conf stanza to remove that. But I also wanted to route them to a particular index so that I could use ACLs to allow the people sending me those logs to see them without having to get into srchFilter hell.

Tags (2)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-25-2010 06:41 PM

As gkanapathy said, you can run any number of TRANSFORMS on your data. As far as removing undesired parts of the log lines, I'd strongly suggest using SEDCMD directives from props.conf, as it's significantly easier to configure simple text transformations using sed syntax than SOURCE_KEY, REGEX, FORMAT, DEST_KEY in transforms.conf.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-25-2010 06:33 PM

Yes, you can do both. You can simply specify multiple TRANSFORMS entries for your source/sourcetypes in props.conf. All of them will run. In this particular case, it doesn't matter what order they happen in, so you can just have an entry for each action you want. (setting the index routing doesn't cause it to index, it just indicates which index it will go to when it does index).

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...