In transforms.conf I can use DELIMS to extract the field by fixed format.
My question is, if one of the field is changeable, how can we resolve that?
Thanks,
Michael
Hi @michael_wong,
You can use host based transforms to achieve this. Define new transform setting And call this transform using host stanza.
Hi @scelikok,
Thanks for your answer. Can you tell more about how to make priority?
I have made the change, but looks it didn't take effect. If two report defined in transform.conf, which one will take effect?
Here is defined precedences over source, host, sourcetype https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf.
Can you share your configurations, so we can easier help you.
r. Ismo
No, they are same source, but have a bit difference since configuration inconsistent
