×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
ra__22
Explorer
Member since: ‎03-11-2025
‎05-09-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎03-11-2025
View All

Re: Creating a new sourcetype and performing trans...

by in Getting Data In
‎03-17-2025 07:27 AM
‎03-17-2025 07:27 AM
Hey @PickleRick  Thanks for the response. Thats how I understand it as well, but it doesnt seem to be working for me. Even if I re-arrange how Im calling the transforms, I am not able to stop id:32605 from appearing in my sourcetype. The below configurations result in  sourcetype = test : all ids are appearing sourcetype = test-2: populated with (id = 32605 & the word successfully ) Even though Im certain I should be filtering out id = 32605. Ive tested the regex and its certainly matching my logs. Are there any tools to see more in-depthly how transforms are working/being applied on the backend? My props now looks like this: [ORIGIN1] REGEX = \"id\":\"32605\".*successfully FORMAT = sourcetype::test-2 DEST_KEY = MetaData:Sourcetype [ORIGIN2] REGEX = successfully.*\"id\":\"32605\" FORMAT = sourcetype::test-2 DEST_KEY = MetaData:Sourcetype [SAVE_OTHERS2] REGEX ="id":"(?!32605\b)\d+" DEST_KEY = queue FORMAT = indexQueue [null] REGEX = \"id\":\"32605\" FORMAT = queue DEST_KEY = nullQueue Transforms: [test] TRANSFORMS-rename_sourcetype = null, ORIGIN1, ORIGIN2, SAVE_OTHERS2 SHOULD_LINEMERGE = false ... View more

Re: Creating a new sourcetype and performing trans...

by in Getting Data In
‎03-12-2025 01:31 PM
‎03-12-2025 01:31 PM
Thanks @livehybrid . I've written some new props/transforms to try to get the same result, however now Im running into trouble again.  So my real issue is that there are alot of logs coming in to ID: 32605 that do not have 'successfully' in them that I need to send to the null queue/get rid of. But I dont seem to be able to both get the logs I want to the new sourcetype and get rid of these unwanted ones. Seems no matter the order I put the transforms in below, it does not work. I also tried creating a transform where I specifically target id = 32605 and the log not having the word 'successfully'. That doesnt seem to work either.  Transforms: [ORIGIN1] REGEX = (?:\"id\":\"32605\".*successfully) FORMAT = sourcetype::test-2 DEST_KEY = MetaData:Sourcetype [ORIGIN2] REGEX = (?:successfully.*\"id\":\"32605\") FORMAT = sourcetype::test-2 DEST_KEY = MetaData:Sourcetype [SAVE_OTHERS2] REGEX =(?:"id":"(?!32605\b)\d+") DEST_KEY = queue FORMAT = indexQueue [JUNK] REGEX = (?:"id":"32605") DEST_KEY = queue FORMAT = nullQueue Props: [test] TRANSFORMS-rename_sourcetype = ORIGIN1, ORIGIN2, JUNK, SAVE_OTHERS2 SHOULD_LINEMERGE = false   ... View more

Creating a new sourcetype and performing transform...

by in Getting Data In
‎03-11-2025 11:46 AM
‎03-11-2025 11:46 AM
If I have a transforms.conf like the below: [ORIGIN2] REGEX = (?:"id":"32605") FORMAT = sourcetype::test-2 DEST_KEY = MetaData:Sourcetype [aa] REGEX = . DEST_KEY = queue FORMAT = nullQueue [bb] REGEX =(?=.*successfully) DEST_KEY = queue FORMAT = indexQueue   and I call the props like the following: [test] TRANSFORMS-rename_sourcetype = ORIGIN2 SHOULD_LINEMERGE = false EVAL-ok = "ok" [aslaof:test-2] EVAL-action2 = "whatt" TRANSFORMS-eliminate_unwanted_data = aa,bb EVAL-action = "nooooo"   I cant seem to figure out why Im not allowed to perform a transform on my newly created sourcetype. Oddly, Splunk registers my 2 EVAL commands, but my transforms are not performed. Am I not allowed to perform transforms on a sourcetype I just created? Also tried combining the initial transform that creates the sourcetype into one piece: REGEX = (?=.*"id":"32605")(?=.*successfully), but this does not seem to work either.    ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-09-2025 08:18 PM
Karma given to
View All