Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

route and rewrite

caphrim007
Path Finder
‎08-25-2010 06:27 PM

I was wondering if it were possible to do a mask on events in addition to sending them to a separate index.

Since the changes I think I need to make are both in the props and transforms.conf, I'm not thinking this is possible, but figured I'd ask.

I have log entries that have a large amount of text prefixed to them (they are event sentry logs) and so I was going to use a transforms.conf stanza to remove that. But I also wanted to route them to a particular index so that I could use ACLs to allow the people sending me those logs to see them without having to get into srchFilter hell.

Tags (2)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-25-2010 06:41 PM

As gkanapathy said, you can run any number of TRANSFORMS on your data. As far as removing undesired parts of the log lines, I'd strongly suggest using SEDCMD directives from props.conf, as it's significantly easier to configure simple text transformations using sed syntax than SOURCE_KEY, REGEX, FORMAT, DEST_KEY in transforms.conf.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-25-2010 06:33 PM

Yes, you can do both. You can simply specify multiple TRANSFORMS entries for your source/sourcetypes in props.conf. All of them will run. In this particular case, it doesn't matter what order they happen in, so you can just have an entry for each action you want. (setting the index routing doesn't cause it to index, it just indicates which index it will go to when it does index).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...