Hi, I have the following transforms.conf: [REPLACEMENT_COST] CLEAN_KEYS = 0 FORMAT = $1"REPLACEMENT_COST2":"$2$s"$3 REGEX = (.*)"REPLACEMENT_COST":([^,]+)(.*) #SOURCE_KEY = REPLACEMENT_COST DEST_KEY = _raw I had to write s in the FORMAT field right after $, since otherwise, it does nothing. Is there any option to escape the dollar sign in this field? The relevant props.conf is: [json_multiline] DATETIME_CONFIG = INDEXED_EXTRACTIONS = json LINE_BREAKER = ([\r\n]+) MAX_DAYS_AGO = 10000 NO_BINARY_CHECK = true TIMESTAMP_FIELDS = LAST_UPDATE TIME_FORMAT = %m/%e/%y %H:%M category = Custom pulldown_type = 1 disabled = false KV_MODE = none EVAL-DESCRIPTION = replace(DESCRIPTION, "([A-Z])", " \1") EVAL-SPECIAL_FEATURES = split(replace(SPECIAL_FEATURES, "([A-Z])", " \1"), ",") LOOKUP-LANGUAGE = LANGUAGE.csv LANGUAGE_ID TRANSFORMS-REPLACEMENT = REPLACEMENT_COST Thanks

Hi, I need help generating search queries using SPL, especially in my new role as a SOC Analyst. I would like to know if you can guide me towards any other training programs on SPL. While I did take some training from the Splunk website, I still needed to meet my expectations. I would appreciate any advice you could give me. Thank you for your time and support. I wish you a wonderful holiday season and a happy new year. Best regards, Osama Faheem  

I want to send custom logs to Splunk Enterprise from Apigee API proxy. I have installed the trial version of Splunk Enterprise. I am following the method with HEC token explained in this article: https://community.splunk.com/t5/Getting-Data-In/How-to-connect-Apigee-Edge-to-Splunk/m-p/546923. However, I am unable to send logs to Splunk. Any help in this regard will be appreciated.