Refine your search:

What is role of transforms.conf vs. props.conf for field extraction?

1

What is the role of props.conf vs. transforms.conf in field extraction? How do they relate to each other in order to make field extraction work?

asked 15 Jan '10, 18:21

Justin%20Grant's gravatar image

Justin Grant
1.7k181860
accept rate: 50%

2 Answers:
oldestnewestmost voted
2

The high-level answer is that props.conf says what rules are applied to any event and when they are applied, and transforms.conf actually defines those rules.

So in props.conf, you say "events with the sourcetype XXX has the extraction YYY applied to it at parse time" or "events from host HHH has lookup JJJ applied at search time". transforms.conf would specify exactly how extraction XXX worked, or where lookup JJJ comes from.

This is generally true, though it's a little muddied because some of the rules are specified directly in props.conf. Some of these (e.g., rules for parsing timestamps or line breaks) are only specified in props.conf, while others (search time field extractions) can be either directly defined in props.conf, or referenced back to transforms.conf

link

answered 15 Jan '10, 19:10

gkanapathy's gravatar image

gkanapathy ♦
32.6k4827
accept rate: 41%

when there's an option to put something in props.conf or transforms.conf, could you add more detail about when you'd want to put info in one vs. the other?

(15 Jan '10, 19:36) Justin Grant
1

regex based field extraction can be specified:
(1) inline in props.conf via the EXTRACT- field or
(2) in transforms.conf and referenced from props.conf via REPORT-

If you are reusing the extraction rule on other sources/sourcetypes/hosts it is recommended that you use (2), for extractions that you know are not going to be reused use (1)

link

answered 15 Jan '10, 20:02

Ledion%20Bitincka's gravatar image

Ledion Bitincka ♦
2.0k48
accept rate: 32%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×549
×43
×39

Asked: 15 Jan '10, 18:21

Seen: 2,580 times

Last updated: 15 Jan '10, 20:02

Related questions

Index time field extraction from another field

index-time extractions

Transforms.conf and props.conf field extractions

When is props.conf applied for search-time field extraction?

Is an index-time extraction right for my situation?

search-time versus index-time field extractions

Why is index-time field extraction not searchable?

Multiple matches in search-time transforms

Search-Time Field Extraction

Copyright © 2005-2012 Splunk Inc. All rights reserved.