Getting Data In

route and rewrite

Path Finder

I was wondering if it were possible to do a mask on events in addition to sending them to a separate index.

Since the changes I think I need to make are both in the props and transforms.conf, I'm not thinking this is possible, but figured I'd ask.

I have log entries that have a large amount of text prefixed to them (they are event sentry logs) and so I was going to use a transforms.conf stanza to remove that. But I also wanted to route them to a particular index so that I could use ACLs to allow the people sending me those logs to see them without having to get into srchFilter hell.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

As gkanapathy said, you can run any number of TRANSFORMS on your data. As far as removing undesired parts of the log lines, I'd strongly suggest using SEDCMD directives from props.conf, as it's significantly easier to configure simple text transformations using sed syntax than SOURCE_KEY, REGEX, FORMAT, DEST_KEY in transforms.conf.

Splunk Employee
Splunk Employee

Yes, you can do both. You can simply specify multiple TRANSFORMS entries for your source/sourcetypes in props.conf. All of them will run. In this particular case, it doesn't matter what order they happen in, so you can just have an entry for each action you want. (setting the index routing doesn't cause it to index, it just indicates which index it will go to when it does index).