Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

transforms.conf

VijaySrrie
Builder
‎10-27-2020 08:15 PM

Hi,

How to write transforms.conf for the fields that are not present in metadata

For example, I need to write transforms for the field - asset_env

asset_env = PROD

Below transforms were not working.

[change_index_name]
SOURCE_KEY = field:asset_env
REGEX = ^asset_env::(\w+)
DEST_KEY = _MetaData:Index
FORMAT = index_$1
~
~

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-28-2020 12:03 AM

Hi @VijaySrrie,

let me understand: you want to create an index based on a condition (e.g. if host=host_prod, env=PROD otherwise is env=DEV), is it correct?

in this case you can create a calculated field [Settings -- Fields -- Calculated fields -- New calculated field] adding the rule for your sourcetype, e.g. for the above example

env=if(host=host_prod,"PROD","DEV")

 Ciao.

Giuseppe

0 Karma
Reply

VijaySrrie
Builder
‎10-28-2020 01:55 AM

Host = abcdpr,xyzpr,abcps,xyzps etc......

asset_env = PROD,PSUP,PSVT etc...

We have different different asset_env like asset_env = PROD, asset_env=PSVT, asset_env=PSUP likewise.

I will create index like (index_PROD, index_PSUP, index_PSVT)

Based on the transforms.conf, the logs based on  asset_env should go to respective index

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-28-2020 02:26 AM

Hi @VijaySrrie,

The easiest way is to manage the correct index addressingusing diferent inputs.conf for each host (you can manage them using a Deployment Server).

Otherwise you could override index on Indexers (of on Heavy Forwarders if present) based on the host value, something like this:

on props.conf

[host::host_PROD]
TRANSFORMS-override_index_PROD = override_index_PROD

[host::host_DEV]
TRANSFORMS-override_index_DEV = override_index_DEV

on transforms.conf

[override_index_PROD]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_PROD

[override_index_DEV]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_DEV

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...