- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Multiple Transforms Stanzas Inside One Props Stanz...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple Transforms Stanzas Inside One Props Stanza - Limit?
Here is my current props.conf stanza for UDP:514 syslog traffic. I am sending this traffic to multple indexes using transforms.conf
props.conf:
[syslog]
TRANSFORMS-index = Stan1, Stan2, Stan3
transforms.conf
[Stan1] SOURCE_KEY = MetaData:Host REGEX = (host1|host2|host3)\.domain\.here\.com DEST_KEY = _MetaData:Index FORMAT = index1 [Stan2] SOURCE_KEY = MetaData:Host REGEX = (host4|host5|host6)\.domain\.here\.com DEST_KEY = _MetaData:Index FORMAT = index2 [Stan3] SOURCE_KEY = MetaData:Host REGEX = (host7|host8|host9)\.domain\.here\.com DEST_KEY = _MetaData:Index FORMAT = index3
This seems to work just fine. However, I am now trying to add a 4th reference to a stanza in props.conf under syslog. When I do this, and add the appropriate stanza in transforms.conf, all of the syslog ends up in one index, and it doesn't seem to be consistent when I restart the Heavy Forwarder.
Is there a limit to how many stanzas I can reference in transforms.conf from one stanza in props.conf [syslog]?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
Facing few challlenges, mine is playing around with the same transforms.
I'm trying to achieve the same source data to forward to two different logical indexes and two different indexes groups.
Below is my senrio.
In props.conf used
[source::Dual_Data_Testing]
TRANSFORMS-source = Stan1, Stan2
In transforms.conf
[Stan1]
SOURCE_KEY = MetaData:Source
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = Index1
DEST_KEY = _TCP_ROUTING
FORMAT = IndexerGroup1
[Stan2]
SOURCE_KEY = MetaData:Source
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = Index2
DEST_KEY = _TCP_ROUTING
FORMAT = IndexerGroup2
Currently the above conf is not working.
Please any suggestion can we workaround for this ?
Thanks,
Arun Sunny
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 4th one is just basically a continuation:
[Stan4]
SOURCE_KEY = MetaData:Host
REGEX = (host10|host11|host12).domain.here.com
DEST_KEY = _MetaData:Index
FORMAT = index4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the fourth stanza? It must be grabbing them all some how.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, there is no limit. Well, I suppose there is a limit for everything, but in this case it's certainly not 4.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the way I'm trying to do it a common approach?
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
