I am little bit confused by the explanation given for DEST_KEY IN TRANSFORMS.CONF. May I know what is the exact function of it.
There are two options: Field extractions at indexing time or at search time (e.g. CIM compliance).
You can define extractions using RegEx in the transforms.conf at indexing time (e.g. using a heavy forwarder). To do so, you can specify the DEST_KEY after a RegEx to determine where to store your data.
Skalli
Edit: Ah, too slow. 🙂
You should pick the best answer and click Accept
.
@ankithreddy777 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.
There are two options: Field extractions at indexing time or at search time (e.g. CIM compliance).
You can define extractions using RegEx in the transforms.conf at indexing time (e.g. using a heavy forwarder). To do so, you can specify the DEST_KEY after a RegEx to determine where to store your data.
Skalli
Edit: Ah, too slow. 🙂
Hi ankithreddy777,
see https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Transformsconf
DEST_KEY specifies where Splunk stores the expanded FORMAT results in accordance with the REGEX match.
Bye.
Giuseppe