Solved: Re: how to write the props.conf stanze to test the...

pavanae · ‎08-27-2019

The following is transforms.conf in my search head

[a_b]
SOURCE_KEY = _meta
REGEX = (logtype::A.*(id::(123|456)|(id::789.*username!::[a-zA-Z]{2,3}-+.*?-ZLX))
DEST_KEY = _ghi
FORMAT = KLMN

Now how to write my props.conf in order to test the REGEX in the above transforms.conf works. Especially I would like to see if the id=789 and username not equall to the string that ends with -ZLX?

p_gurav · ‎08-28-2019

To props.conf, add the following lines:

[<sourcetype_name>]
TRANSFORMS-<class> = a_b

View solution in original post

woodcock · ‎09-01-2019

Why are you using SOURCE_KEY = _meta? What do you think that your REGEX will match (and have you tested it with a tool like http://www.RegEx101.com)?

p_gurav · ‎08-28-2019

To props.conf, add the following lines:

[<sourcetype_name>]
TRANSFORMS-<class> = a_b

pavanae · ‎08-28-2019

Thanks @p_gurav. what does line 2 means. What should I specify there?

woodcock · ‎09-01-2019

The <class> is fully arbitrary and the only requirement is that it must be unique across all configuration settings so do not pick a common/simple string.

how to write the props.conf stanze to test the transforms Regex?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?