Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you apply transforms to all events meant for a specific index?

ricotries
Communicator
‎05-23-2020 01:38 PM

In my testing environment I have three main indexes that are specific to the data stored within them. I want to change the host value of all events by appending a string at the end of the host at index time (similar to a domain name, as an example) and I know how to do this with the props-transforms configuration, but I can only do it based on sourcetype, host, or source. Is there a way to do the same thing but based on index?

For example, 

index1: host -> host.test1, something -> something.test1
index2: tmp -> tmp.test2
index3: hello -> hello.test3

I know how to do this based on the host field, for example:
Props.conf

[host::*]
TRANSFORMS-appendname = append_name

Transforms.conf

[append_name]
SOURCE_KEY = MetaData:Host
REGEX = (.*)
FORMAT = $1.test
DEST_KEY = MetaData:Host

And in this case, every host that forwards logs to my indexer would have their events stored as 

host = hostname.test

How do I do the same thing but based on the target index?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-23-2020 02:26 PM

transforms.conf

 [append_name]
 INGEST_EVAL = host=case(index="index1", host.".test1", index="index2", host.".test2", index="index3", host.".test3", true(), host)
 WRITE_META = true

INGEST_EVAL can be used as eval
How about this?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-23-2020 02:26 PM

transforms.conf

 [append_name]
 INGEST_EVAL = host=case(index="index1", host.".test1", index="index2", host.".test2", index="index3", host.".test3", true(), host)
 WRITE_META = true

INGEST_EVAL can be used as eval
How about this?

0 Karma
Reply
Solved! Jump to solution

ricotries
Communicator
‎05-23-2020 03:16 PM

I was not aware of that setting. Because it works exactly like eval you can do the following then:

[append_name]
INGEST_EVAL = host=case(index="index1", host.".test1", index="index2", host.".test2", index="index3", host.".test3", true(), host)
WRITE_META = true

Take note that to concatenate the host value and a string you have to type a period before the string.

host."<string>" = host<string>
host.".<string>" = host.<string>

If you change your answer with the revised working (I tested it) eval declaration, I'll accept it.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎05-23-2020 03:20 PM

I see, My answer is updated.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...