Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

transforms.conf and props.conf

fi5033
Engager
‎06-22-2011 07:39 AM

I am trying to extract some values from the Host field. For example, variations of host name being:
labAppdev03, labWebdev01, labDocDev02. What I am trying to get is App, Web or Doc as a role field out of host name field.

What I have so far:

transforms.conf:

[role]
SOURCE_KEY=MetaData:Host
REGEX=host::*(App|Web|Doc)*
FORMAT=role::app
WRITE_META=true

Props.conf:

[sourceone]
TRANSFORMS-role=role
0 Karma
Reply

southeringtonp
Motivator
‎06-22-2011 07:48 AM

For FORMAT, it should reference the number of the capture group in your regular expression (i.e., which set of parentheses are you looking in). You only need WRITE_META for index-time field extractions, which are usually best avoided. Similarly, you can just use host here in SOURCE_KEY, since it will be a normal field at that point. Last, for your regex - either use .* to match multiple characters, or just leave it out completely since you're already matching anywhere within the hostname.

Try:

#transforms.conf
[role]
SOURCE_KEY=host
REGEX=(App|Web|Doc)
FORMAT=role::$1

#props.conf:
[sourceone]
TRANSFORMS-role=role
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...