Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Creating new field from raw event

RSS_STT
Explorer
‎02-10-2025 02:08 AM

i want to create new index time field severity if raw json payload have level field value is Information.

{ "level": "Information", "ORIGIN_Severity_name": "CRITICAL", "ProductArea": "Application", "ORIGIN_Product": "Infrastructure"}

What's wrong in my transforms.conf configuration. Any help much appreciated.

transforms.conf

[severity]
REGEX = "level":\s\"(?<severity>\w+)
SOURCE_KEY = fields:level
FORMAT = severity::"INFO"
WRITE_META = true

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-10-2025 02:13 AM

Hi @RSS_STT 

The issue here is the source_key which is incorrectly set, it should be set to _raw, although _raw is the default so you could just remove that line entirely.

You also do not need to specify the naming of the extraction in the REGEX and instead use $1, so your resulting transform will look like:

 

[severity]
REGEX = "level":\s\"(\w+)
FORMAT = severity::"$1"
WRITE_META = true

 

Please let me know how you get on and consider upvoting/karma this answer if it has helped.
Regards

Will

Reply

RSS_STT
Explorer
‎02-10-2025 02:28 AM

it helped but how can ensure that it's create severity = INFO field only when level=Information.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-10-2025 03:20 AM

Oh I see, sorry.

In that case you could do:

 

[severity]
REGEX = "level":\s\"(Informational)
FORMAT = severity::INFO
WRITE_META = true

 

This means it will only set the severity field (to INFO) when level=Informational - Is this what you want, or should it be other values if not Informational?

Is there a particular reason you are looking to make this index-time instead of a search-time change?

 

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...