Hi,
I have a small lab where there is a heavy forwarder
. I can/want to perform transformation on Meta info at Heavy forwarder level. I have two related questions.
The first question --
I have a source
field something like -- /<dir1>/<dir2>/<logfilename>
and I want to remove /<dir1>/<dir2>
from source field. How can I do that?
I also want to rewrite sourcetype
field before sending data to indexer. Let's say if we find secure
in any part of sourcetype
then sourcetype
should be secure
. (i.e. remove all other characters except secure
)
Please help!
Thanks!
You can try rewriting (reformating) the source key for your first question. You can use transforms and props to do that. Here's an example of how transforms.conf may look like:
transforms.conf
[<unique_transform_stanza_name>]
SOURCE_KEY = MetaData:Source
REGEX = <regular_expression>
FORMAT = source::$1
DEST_KEY = MetaData:Source
props.conf
[<spec>]
TRANSFORMS-<value> = <unique_stanza_name>
For your second question you can do pretty much the same thing, but operate on MetaData:Sourcetype instead of Source.
There is additional and very helpful information here:
http://docs.splunk.com/Documentation/Splunk/4.2.4/Admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configureindex-timefieldextraction
- please upvote if you find this answer useful
You can try rewriting (reformating) the source key for your first question. You can use transforms and props to do that. Here's an example of how transforms.conf may look like:
transforms.conf
[<unique_transform_stanza_name>]
SOURCE_KEY = MetaData:Source
REGEX = <regular_expression>
FORMAT = source::$1
DEST_KEY = MetaData:Source
props.conf
[<spec>]
TRANSFORMS-<value> = <unique_stanza_name>
For your second question you can do pretty much the same thing, but operate on MetaData:Sourcetype instead of Source.
There is additional and very helpful information here:
http://docs.splunk.com/Documentation/Splunk/4.2.4/Admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/4.2.4/Data/Configureindex-timefieldextraction
- please upvote if you find this answer useful
Will this work? I want to perform transformation on Heavy Forwarder and send data to indexer. I do not index locally.
In that case then i would try using priority=n
in the affected props stanzas. More on priority or precedence can be found here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
Thanks for reply! This works. I have already tried this. But problem with it is --