Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: how to write the props.conf stanze to test the...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-27-2019
03:25 PM
The following is transforms.conf in my search head
[a_b]
SOURCE_KEY = _meta
REGEX = (logtype::A.*(id::(123|456)|(id::789.*username!::[a-zA-Z]{2,3}-+.*?-ZLX))
DEST_KEY = _ghi
FORMAT = KLMN
Now how to write my props.conf in order to test the REGEX in the above transforms.conf works. Especially I would like to see if the id=789 and username not equall to the string that ends with -ZLX?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
08-28-2019
01:30 AM
To props.conf, add the following lines:
[<sourcetype_name>]
TRANSFORMS-<class> = a_b
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-01-2019
01:16 PM
Why are you using SOURCE_KEY = _meta? What do you think that your REGEX will match (and have you tested it with a tool like http://www.RegEx101.com)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
08-28-2019
01:30 AM
To props.conf, add the following lines:
[<sourcetype_name>]
TRANSFORMS-<class> = a_b
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-28-2019
07:52 AM
Thanks @p_gurav. what does line 2 means. What should I specify there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-01-2019
01:15 PM
The <class> is fully arbitrary and the only requirement is that it must be unique across all configuration settings so do not pick a common/simple string.
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
