route and rewrite

caphrim007 · ‎08-25-2010

I was wondering if it were possible to do a mask on events in addition to sending them to a separate index.

Since the changes I think I need to make are both in the props and transforms.conf, I'm not thinking this is possible, but figured I'd ask.

I have log entries that have a large amount of text prefixed to them (they are event sentry logs) and so I was going to use a transforms.conf stanza to remove that. But I also wanted to route them to a particular index so that I could use ACLs to allow the people sending me those logs to see them without having to get into srchFilter hell.

Stephen_Sorkin · ‎08-25-2010

As gkanapathy said, you can run any number of TRANSFORMS on your data. As far as removing undesired parts of the log lines, I'd strongly suggest using SEDCMD directives from props.conf, as it's significantly easier to configure simple text transformations using sed syntax than SOURCE_KEY, REGEX, FORMAT, DEST_KEY in transforms.conf.

gkanapathy · ‎08-25-2010

Yes, you can do both. You can simply specify multiple TRANSFORMS entries for your source/sourcetypes in props.conf. All of them will run. In this particular case, it doesn't matter what order they happen in, so you can just have an entry for each action you want. (setting the index routing doesn't cause it to index, it just indicates which index it will go to when it does index).

route and rewrite

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life