trying to rename source at index time with transfo...

julienoud · ‎07-05-2018

hello,

I want to change my source names in shorter ones. At first I had something that worked very well.
transforms.conf :

[short_source]
SOURCE_KEY = Metadata:Source
REGEX =myregex(my_capturing_group)
DEST_KEY = Metadata:Source
FORMAT = source::$1

But then i had to change my Splunk version, (the new one is 7.1.1), and i got an error when checking my configuration files : "undocumented key in transforms.conf ; stanza='short_source' setting='SOURCE_KEY'. Above you can see what I tried according to the splunk documentation :

[short_source]
SOURCE_KEY = Metadata:Source
REGEX = myregex(my_capturing_group)
DEST_KEY = Metadata:Source
FORMAT = source::$1

[accepted_keys]
is_accepted = Metadata:Source

After restart, I don't have error anymore, but the source is not changing on my new indexed data.
Of course i have the appropriate stanza in porps.conf :

[my_sourcetype]
TRANSFORMS-source = short_source

Thank you for your help!

ss026381 · ‎10-24-2019

Try MetaData:Source with capital D.

 [short_source]
SOURCE_KEY = MetaData:Source
REGEX = myregex(my_capturing_group)
DEST_KEY = MetaData:Source
FORMAT = source::$1

trying to rename source at index time with transforms.conf

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

trying to rename source at index time with transforms.conf

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!