Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex to match two fields in transforms.conf
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
danbrook
Explorer
03-16-2017
06:06 AM
I'm looking to match against two fields in transforms.conf. I would like to match against a customer _meta field and the source field then route to a specific index based on that. There is a good reason for me not matching on inputs.conf that I won't go into here.
I would like to match
regex=MyCustomField::somestring AND regex=source::syslog
I'd also like to be able to test this in search before committing it to transforms.conf
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
03-16-2017
11:22 AM
Okay, you have to make sure that your extraction transforms are happening in the right order. This can't really be tested in "search", so I recommend you set yourself up a sandbox instance.
There are lots of good answers on overriding metadata and sending to a new index. But a workable final architecture is going to depend on knowing your data and your existing transforms.
1) Is MyCustomField::somestring going to occur in any source other than syslog?
2) When does MyCustomField get extracted?
Your new transform will need to be called and evaluated AFTER MyCustomField exists, but only for events in source=syslog.
If you can make that happen, then the stanza would look something like this...
[index_reset_for_MyCustomField]
SOURCE_KEY = MyCustomField
DEST_KEY = _MetaData:index
REGEX = somestring
FORMAT = mynewindexname
If you CANNOT determine an order where that would happen, then you might have to do place a ricochet shot. You can't really PROGRAM in a stanza, or concatenate two fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
03-16-2017
11:22 AM
Okay, you have to make sure that your extraction transforms are happening in the right order. This can't really be tested in "search", so I recommend you set yourself up a sandbox instance.
There are lots of good answers on overriding metadata and sending to a new index. But a workable final architecture is going to depend on knowing your data and your existing transforms.
1) Is MyCustomField::somestring going to occur in any source other than syslog?
2) When does MyCustomField get extracted?
Your new transform will need to be called and evaluated AFTER MyCustomField exists, but only for events in source=syslog.
If you can make that happen, then the stanza would look something like this...
[index_reset_for_MyCustomField]
SOURCE_KEY = MyCustomField
DEST_KEY = _MetaData:index
REGEX = somestring
FORMAT = mynewindexname
If you CANNOT determine an order where that would happen, then you might have to do place a ricochet shot. You can't really PROGRAM in a stanza, or concatenate two fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
danbrook
Explorer
03-16-2017
12:18 PM
Ah ha! Yes I add the MyCustomField on the input from a Universal Forwarder. I want to set the index name based on the value in MyCustomField so maybe I can match in props.conf for the source and then pull out the value for MyCustomField to build the Index name.
props.conf
[source::syslog]
TRANSFORMS-Index-Syslog = Set-Index-Syslog
transforms.conf
[Set-Index-Syslog]
SOURCE_KEY = MetaData:MyCustomField
REGEX = (.*)
DEST_KEY = _MetaData:Index
FORMAT = index-$1-Syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
03-16-2017
04:53 PM
The two requirements for that to work are (1) MyCustomField must be extracted before the [source::syslog] stanza is reached, and (2) the value of MyCustomField must have been set to whatever you want sandwiched into the index name.
I would probably use
REGEX = (.+)
since the other would match an empty (but not a null) field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
03-16-2017
08:16 AM
I assume "now matching" was supposed to be "not matching"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
danbrook
Explorer
03-16-2017
08:20 AM
Yes, edited.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
