AS per props.conf documentation
Use a comma-separated list to apply multiple transform stanzas to a single
TRANSFORMS extraction. Splunk applies them in the list order. For example,
this sequence ensures that the [yellow] transform stanza gets applied
first, then [blue], and then [red]:
[source::color_logs]
TRANSFORMS-colorchange = yellow, blue, red
But I have an issue whereby I cannot put all the 3 transforms in single stanza.
[source::color_logs] # say this assigns a yellow_colored_logs sourcetype
TRANSFORMS-colorchange = yellow
[yellow_colored_logs]
TRANSFORMS-zcolorchange = blue,red
Will the above order work? So basically my question is will splunk handle transforms on serial order if I put in multiple stanza?
Hi koshyk,
I suggest to use one method to transform your logs (e.g. sourcetypes)
[yellow_colored_logs]
TRANSFORMS-zcolorchange1 = blue,red
[red_colored_logs]
TRANSFORMS-zcolorchange2 = blue,yellow
[blue_colored_logs]
TRANSFORMS-zcolorchange3 = red,yellow
testing order.
Bye.
Giuseppe
@cusello thanks for that. I will test and let you know. Meantime, I will upvote and if its successful I will mark as answer