trying to rename source at index time with transfo...

julienoud · ‎07-05-2018

hello,

I want to change my source names in shorter ones. At first I had something that worked very well.
transforms.conf :

[short_source]
SOURCE_KEY = Metadata:Source
REGEX =myregex(my_capturing_group)
DEST_KEY = Metadata:Source
FORMAT = source::$1

But then i had to change my Splunk version, (the new one is 7.1.1), and i got an error when checking my configuration files : "undocumented key in transforms.conf ; stanza='short_source' setting='SOURCE_KEY'. Above you can see what I tried according to the splunk documentation :

[short_source]
SOURCE_KEY = Metadata:Source
REGEX = myregex(my_capturing_group)
DEST_KEY = Metadata:Source
FORMAT = source::$1

[accepted_keys]
is_accepted = Metadata:Source

After restart, I don't have error anymore, but the source is not changing on my new indexed data.
Of course i have the appropriate stanza in porps.conf :

[my_sourcetype]
TRANSFORMS-source = short_source

Thank you for your help!

ss026381 · ‎10-24-2019

Try MetaData:Source with capital D.

 [short_source]
SOURCE_KEY = MetaData:Source
REGEX = myregex(my_capturing_group)
DEST_KEY = MetaData:Source
FORMAT = source::$1

trying to rename source at index time with transforms.conf

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?