Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

transforms.conf

VijaySrrie
Builder
‎10-26-2020 01:40 AM

Please help me with the transforms.conf

Available indexes details

index_pr_prod

index_ee_psvt

index_np_psup

 

Index has 3 parts, 1st part is same , 2nd part we need to derive from host and 3rd part we need to derive from asset_env

I tried the below transforms but it did not work, do we need two different stanza configs in transforms.com?

[change_index_name]
SOURCE_KEY = MetaData:Host
REGEX = ^host::\w{12}(?i)(ee|pr|ps)
DEST_KEY = _MetaData:Index
SOURCE_KEY = MetaData:Asset_Env
REGEX = ^asset_env::\w{5}
DEST_KEY = _MetaData:Index
FORMAT = index_$1_$2

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-26-2020 01:48 AM

Hi @VijaySrrie,

you cannot put in the same stanza more times the same option, only once; so you have to find one single regex to identify the three groups in index names.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...