Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

route and rewrite

caphrim007
Path Finder
‎08-25-2010 06:27 PM

I was wondering if it were possible to do a mask on events in addition to sending them to a separate index.

Since the changes I think I need to make are both in the props and transforms.conf, I'm not thinking this is possible, but figured I'd ask.

I have log entries that have a large amount of text prefixed to them (they are event sentry logs) and so I was going to use a transforms.conf stanza to remove that. But I also wanted to route them to a particular index so that I could use ACLs to allow the people sending me those logs to see them without having to get into srchFilter hell.

Tags (2)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-25-2010 06:41 PM

As gkanapathy said, you can run any number of TRANSFORMS on your data. As far as removing undesired parts of the log lines, I'd strongly suggest using SEDCMD directives from props.conf, as it's significantly easier to configure simple text transformations using sed syntax than SOURCE_KEY, REGEX, FORMAT, DEST_KEY in transforms.conf.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-25-2010 06:33 PM

Yes, you can do both. You can simply specify multiple TRANSFORMS entries for your source/sourcetypes in props.conf. All of them will run. In this particular case, it doesn't matter what order they happen in, so you can just have an entry for each action you want. (setting the index routing doesn't cause it to index, it just indicates which index it will go to when it does index).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...