hello,
I want to change my source names in shorter ones. At first I had something that worked very well.
transforms.conf :
[short_source]
SOURCE_KEY = Metadata:Source
REGEX =myregex(my_capturing_group)
DEST_KEY = Metadata:Source
FORMAT = source::$1
But then i had to change my Splunk version, (the new one is 7.1.1), and i got an error when checking my configuration files : "undocumented key in transforms.conf ; stanza='short_source' setting='SOURCE_KEY'. Above you can see what I tried according to the splunk documentation :
[short_source]
SOURCE_KEY = Metadata:Source
REGEX = myregex(my_capturing_group)
DEST_KEY = Metadata:Source
FORMAT = source::$1
[accepted_keys]
is_accepted = Metadata:Source
After restart, I don't have error anymore, but the source is not changing on my new indexed data.
Of course i have the appropriate stanza in porps.conf :
[my_sourcetype]
TRANSFORMS-source = short_source
Thank you for your help!
Try MetaData:Source with capital D.
[short_source]
SOURCE_KEY = MetaData:Source
REGEX = myregex(my_capturing_group)
DEST_KEY = MetaData:Source
FORMAT = source::$1