understanding the transforms.conf

kteng2024 · ‎03-01-2017

hi,
Can someone please explain me the below transforms.conf . I read the documentation ,but it's not clear to me .

[route-index-abc]
REGEX = (.*) ( what is the use of REGEX)
DEST_KEY = _MetaData:Index ( what is the use DEST_KEY)
FORMAT = server_application ( what is the use of FORMAT)

somesoni2 · ‎03-01-2017

The transforms.conf entry that you've is applied to each event of a sourcetype, source or host.

The REGEX is a regular expression that tries to find a match from the value of SOURCE_KEY (an attribute which has default value as _raw, your raw data). A dot means it'll match everything (the transform will be done for all events).
DEST_KEY - it provides a Splunk field (that are available at the time of parsing) where the transformation will be applied.
FORMAT - it's a value that will be applied to value of DEST_KEY

So basically what it's doing here is, for each event, change the value of index (represented as _MetaData:Index in transforms.conf) with value server_application, regardless of what it's original value was.

somesoni2 · ‎03-01-2017

Its' actually solving this problem
https://answers.splunk.com/answers/246672/how-can-i-override-an-index-name-based-on-sourcety.html

understanding the transforms.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!