Documentation: 3.0.1
Print Version Contents
This page last updated: 09/26/07 12:09pm

transforms.conf

Transforms.conf specifies transformations to apply to events based on regex-based patterns, including rules for correlating events to create meta-events, extracting fields or masking event text. These transformations are applied to events from particular sources, hosts or sourcetypes via props.conf.

To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/transforms.conf.

You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/transforms.conf.example.

Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.

transforms.conf.spec

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains all possible options for a "transforms.conf" file.
#
# The regex processor of splunk is configured through the files
# $SPLUNK_HOME/etc/bundles/<bundle name>/transforms.conf
#

# A configuration looks like:

[<regex name>]
attribute1 = val1
attribute2 = val2
...

# Splunk KEYs for events:
_raw  : The raw text of the event.

_done : If set to any string this is the last event in a stream.

_meta : A space separated list of "meta data" for an event.
        The meta data is displayed below the event in the SplunkWeb.

_time : The timestamp of the event, in seconds since 1/1/1970 UTC.

queue : The queue to be used by the next queue output processor.

cluster : A cluster identifier to be used to create meta events.

MetaData:FinalType  : The event type of the event.
MetaData:Host       : The host associated with the event.
                      The value must be prefixed by "host::"
_MetaData:Index     : The index where the event should be stored.
MetaData:Source     : The source associated with the event.
                      The value must be prefixed by "source::"
MetaData:Sourcetype : The sourcetype of the event.
                      The value must be prefixed by "sourcetype::"

Any KEY prefixed by '_' will not be indexed by splunk, in general.

# The  precedence rules are the same as in props.conf.spec.

The possible attributes/value pairs, and their default values, are:

SOURCE_KEY = <string> (_raw)
  * Specifies which KEY in the event should be the source of the string
    on which to perform the regex.

LOOKAHEAD = <integer> (256)
  * Specifies how far into the string to match.

REGEX = <regular expression> (Empty)
  * If set, this is the regular expression that will operate on the data.

FORMAT = <string> ($1)
  * A string with arguments specified by $n, where n represents the output
    of the n-th parenthesized group of the REGEX. If the regex does not have
    n groups, the matching fails. The special identifier $0 represents what
    was in the DEST_KEY before this regex was performed.

DEFAULT_VALUE = <string> (Empty)
  * If set, and the regex fails, this value will be written to the DEST_KEY.

DEST_KEY = <string> (<regex name>)
  * Specifies where the formatted result of running the regex should be stored.

REPEAT_MATCH = <bool> (False)
  * Specifies whether the regular expression should be run several times on
    the SOURCE_KEY. If set, it will start wherever the last match stopped, and
    will continue until no more matches are found.

WRITE_META = <bool> (False)
  * Specifies that whatever was written to DEST_KEY should also be appended to
    the "meta data" for the event.
Previous: server.conf    |    Next: user-seed.conf

Comments

  1. Yes, you'll find it under the Fields section:
    http://www.splunk.com/doc/3.0/admin/30_admin_DefineAdditionalFields
    Posted by kathleen on Sep 12 2007, 8:44am

  2. Do you have an example transforms.conf showing a regex for extracting fields?
    Posted by mfratto on Sep 12 2007, 7:50am

Log in to comment.