Not exactly sure how to phrase this, but how can I remodel my data input via Splunk?
For example, my raw data looks like this:
Tag= Parameter Value =2
Parameter = 2 in Splunk such that I can search for Parameter = Some Value
In your transforms.conf, add this
[unique_stanza_name] REGEX = Tag=\s?(\w+)\s+Value\s?=(\d+) FORMAT = $1::$2
Here's more on how that works
Hey Sundaresh,
I tried this out with a restart, I didnt notice anything. Also, i added the transforms.conf under etc/system/local
Am I doing this right?
