I noticed that in Splunk 5.0.3, transforms.conf
has a new section called [accepted_keys]
. Does anyone have an example of how this can be used?
I am adding events via the REST API, with the receivers/simple endpoint. I'm also using the Python SDK. I want to add custom metadata to a group of events in the form of index fields. Much like when I use the API I can specify the host, source, and index as http query parameters when posting the data, I want to specify arbitrary http query parameters that I want splunk to turn into index fields.
POST ....blah/receivers/simple?source=myfile.txt&support_ticket=123456
Where I want splunk to treat the support_ticket query param as an index field to be applied to all events in the POST.
According to http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Transformsconf
[accepted_keys]
Here is an example of the [accepted_keys] usage:
I am adding events via the rest API, with the receivers/simple endpoint. I'm also using the Python SDK. I want to add custom metadata to a group of events in the form of index fields. Much like when I use the API I can specify the host, source, and index as http query parameters when posting the data, I want to specify arbitrary http query parameters that I want splunk to turn into index fields.
POST ....blah/receivers/simple?source=myfile.txt&support_ticket=123456
Where i want splunk to treat the support_ticket query param as an index field to be applied to all events in the POST.
I did see that documentation. I guess I was hoping for a bit more clarity with perhaps an example on how one might put this functionality to work.