Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: how to write the props.conf stanze to test the...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-27-2019
03:25 PM
The following is transforms.conf in my search head
[a_b]
SOURCE_KEY = _meta
REGEX = (logtype::A.*(id::(123|456)|(id::789.*username!::[a-zA-Z]{2,3}-+.*?-ZLX))
DEST_KEY = _ghi
FORMAT = KLMN
Now how to write my props.conf in order to test the REGEX in the above transforms.conf works. Especially I would like to see if the id=789 and username not equall to the string that ends with -ZLX?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
08-28-2019
01:30 AM
To props.conf, add the following lines:
[<sourcetype_name>]
TRANSFORMS-<class> = a_b
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-01-2019
01:16 PM
Why are you using SOURCE_KEY = _meta? What do you think that your REGEX will match (and have you tested it with a tool like http://www.RegEx101.com)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
08-28-2019
01:30 AM
To props.conf, add the following lines:
[<sourcetype_name>]
TRANSFORMS-<class> = a_b
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pavanae
Builder
08-28-2019
07:52 AM
Thanks @p_gurav. what does line 2 means. What should I specify there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
09-01-2019
01:15 PM
The <class> is fully arbitrary and the only requirement is that it must be unique across all configuration settings so do not pick a common/simple string.
Get Updates on the Splunk Community!
Splunk Observability for AI
Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights!
Duration: ...
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
