Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

transforms.conf

JeffTanYH
Engager
‎05-15-2012 01:56 AM

This question may seem pretty silly but I'm really clueless about SPLUNK.

I do know where to configure the props.conf,however,I'm not too sure how do I configure the transform.conf for my logs. How do I go about doing it?

Do I put the transform.conf into the field where I input my props.conf as well? (At the start when I'm importing my data into SPLUNK)

Please help me!

Tags (1)
0 Karma
Reply

MatthewTowey
Path Finder
‎05-15-2012 06:00 AM

Hi JeffTanYH

If your props.conf is looking sometyhing like

[source::"yoursource"]

"some props.conf entries e.g KV_MODE,SEDCMD"

REPORT-report = unclean

then it will reference the stanza "unclean" in transforms.conf

your transforms.conf would look like

[unclean]

CLEAN_KEYS = 0

DELIMS = "(""|", "="

Hope that clears things up for you

Mat

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎05-15-2012 03:39 AM

Not sure exactly what you are asking. Transforms.conf would be located in the same folder as props.conf. I would suggest looking at some other answers on here to find one that matches what you are trying to accomplish.

http://splunk-base.splunk.com/search/?q=transforms.conf

You are probably looking to do one of the following:

Customize field extraction at index-time
Route and filter data
Specification and example files for transforms.conf
Create and maintain search-time field extractions through configuration files

http://docs.splunk.com/Special:SplunkSearch/docs?q=transforms.conf

Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...