Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field transformation based on source

stefan_radovano
Explorer
‎06-12-2014 02:30 AM

Hi All,

We log data from devices belonging to different customers, they are written to our syslog server in files named /data/log/CUSTOMER/site/router1.log, for example. I wanted to have a search-time field called customer with the value CUSTOMER, taken from the source filename.

I did this via the web GUI, under Settings/Fields/Field Transformation, this is what was written in $SPLUNK_HOME/etc/apps/search/local/transforms.conf:

[get_customer]
FORMAT = customer::$1
REGEX = \/data\/log\/(.*)\/site.*
SOURCE_KEY = MetaData:Source

Unfortunately nothing happens, I get no field named customer when I search. From what I can tell, the regex is correct. I also tried just "source" as SOURCE_KEY but nothing changed. Is anything wrong with my transform ?

I am also not sure how this transform is applied, is it run against log messages arriving via all indexes ?

As additional info, we are running splunk on a separate server (so basically the indexer) and we use a light forwarder on our syslog server. The transform above is done on the indexer.

Thanks,
Stefan

Reply
1 Solution
Solved! Jump to solution
Solution

emechler_splunk
Splunk Employee
Splunk Employee
‎06-13-2014 03:10 PM

In props.conf:

[your_sourcetype]
EXTRACT = \/data\/log\/(?<customer>\w+)\/site.* in source

No need to touch transforms.conf for this.

View solution in original post

Reply
Solved! Jump to solution

stefan_radovano
Explorer
‎06-14-2014 05:37 AM

Yes, I do have that too.

0 Karma
Reply
Solved! Jump to solution
Solution

emechler_splunk
Splunk Employee
Splunk Employee
‎06-13-2014 03:10 PM

In props.conf:

[your_sourcetype]
EXTRACT = \/data\/log\/(?<customer>\w+)\/site.* in source

No need to touch transforms.conf for this.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-14-2014 11:50 AM

You could also just add in source after the end of the field extraction regex when editing it through the UI.

Reply
Solved! Jump to solution

emechler_splunk
Splunk Employee
Splunk Employee
‎06-14-2014 09:41 AM

You can do this in SPL itself:

| extract reload=t

0 Karma
Reply
Solved! Jump to solution

stefan_radovano
Explorer
‎06-14-2014 06:15 AM

I actually tried to do this via GUI (Fields/Field Extraction) but when I chose "source" for "Apply To", it also wanted me to specify which source. I obviously didn't want to restrict it to one particular source, didn't know what to put in there. Was I doing something wrong ?

In any case, this worked. I just had to restart splunk. Is there no way around restarting ?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-13-2014 02:34 PM

Did you specify a REPORT-foo = get_customer entry in props.conf for that sourcetype?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...