trying to rename source at index time with transfo...

julienoud · ‎07-05-2018

hello,

I want to change my source names in shorter ones. At first I had something that worked very well.
transforms.conf :

[short_source]
SOURCE_KEY = Metadata:Source
REGEX =myregex(my_capturing_group)
DEST_KEY = Metadata:Source
FORMAT = source::$1

But then i had to change my Splunk version, (the new one is 7.1.1), and i got an error when checking my configuration files : "undocumented key in transforms.conf ; stanza='short_source' setting='SOURCE_KEY'. Above you can see what I tried according to the splunk documentation :

[short_source]
SOURCE_KEY = Metadata:Source
REGEX = myregex(my_capturing_group)
DEST_KEY = Metadata:Source
FORMAT = source::$1

[accepted_keys]
is_accepted = Metadata:Source

After restart, I don't have error anymore, but the source is not changing on my new indexed data.
Of course i have the appropriate stanza in porps.conf :

[my_sourcetype]
TRANSFORMS-source = short_source

Thank you for your help!

ss026381 · ‎10-24-2019

Try MetaData:Source with capital D.

 [short_source]
SOURCE_KEY = MetaData:Source
REGEX = myregex(my_capturing_group)
DEST_KEY = MetaData:Source
FORMAT = source::$1

trying to rename source at index time with transforms.conf

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Join the Conversation

trying to rename source at index time with transforms.conf

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...