Documentation: 3.2.3
Print Version Contents
This page last updated: 05/28/08 09:05am

transforms.conf

Transforms.conf specifies transformations to apply to events based on regex-based patterns, including rules for extracting fields or masking event text.
These transformations are applied to events from particular sources, hosts or sourcetypes via props.conf.

transforms.conf.spec

# This file contains possible attributes and values you can use to configure transform
# and event signing in transforms.conf.
#
# There is a transforms.conf in $SPLUNK_HOME/etc/bundles/default/.  To set custom configurations, 
# place a transforms.conf in your own custom bundle directory.  For examples, see transforms.conf.example.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.

[$UNIQUE_STANZA_NAME]
    * Name your stanza. Use this name to configure props.conf.
        * For example, in a props.conf stanza, enter TRANSFORMS-$VALUE = $UNIQUE_STANZA_NAME.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk will use the default value.

SOURCE_KEY = <string>
     * Set which KEY to perform the regex on.
     * Use the KEYs listed below.
     * Defaults to _raw.

LOOKAHEAD = <integer>
    * Specify how many characters into the string to search.
    * Defaults to 256.

REGEX = <regular expression>
      * If set, this is the regular expression that will operate on the data.
      * Defaults to empty.

FORMAT = <string>
      * A string with arguments specified by $n, where n represents the output
    of the n-th parenthesized group of the REGEX. 
    * If the regex does not have n groups, the matching fails. 
    * The special identifier $0 represents what was in the DEST_KEY before this regex was performed.
    * Defaults to $1.

DELIMS = <quoted string>
      * Set delimiter characters to separate data into key-value pairs, and then to seperate key from value.
       * NOTE: Delimiters must be quoted with " " (to escape, use \).
      * Usually, two sets of delimiter characters must be specified: 
          * the first to extract key/value pairs.
          * the second to seperate the key from the value.
    * If you enter only one set of delimiter characters, then the extracted tokens:
        * Are named with names from "fields", if "fields" are entered (below).
        * OR even tokens are used as field names while odd tokens become field-values. 
  
FIELDS = <quoted string list>
     * List the names of the field values extracted using "delims."
      * NOTE: If field names contain spaces or commas they must be quoted with " " (to escape, use \).
      * Defaults to "".

DEFAULT_VALUE = <string>
      * If set, and the regex fails, this value will be written to the DEST_KEY.
      * Defaults to empty.

DEST_KEY = <string>
      * Specifies where the formatted result of running the regex should be stored.
      * Use the KEYs listed below.

REPEAT_MATCH = <true/false>
     * Specifies whether the regular expression should be run several times on the SOURCE_KEY. 
    * REPEAT_MATCH starts wherever the last match stopped, and continues until no more matches are found.
    * Defaults to false.

WRITE_META = <true/false>
     * Specifies that whatever was written to DEST_KEY should also be appended to the metadata for the event.
    * Defaults to false.
 
# Splunk KEYs for events:
_raw  : The raw text of the event.

_done : If set to any string this is the last event in a stream.

_meta : A space separated list of "meta data" for an event.
        The meta data is displayed below the event in the SplunkWeb.

_time : The timestamp of the event, in seconds since 1/1/1970 UTC.

queue : The queue to be used by the next queue output processor.

cluster : A cluster identifier to be used to create meta events.

MetaData:FinalType  : The event type of the event.
MetaData:Host       : The host associated with the event.
                      The value must be prefixed by "host::"
_MetaData:Index     : The index where the event should be stored.
MetaData:Source     : The source associated with the event.
                      The value must be prefixed by "source::"
MetaData:Sourcetype : The sourcetype of the event.
                      The value must be prefixed by "sourcetype::"

Any KEY prefixed by '_' will not be indexed by splunk, in general.

transforms.conf.example

# This is an example transforms.conf.  Use this file to create regexes and rules for transforms.
# Use this file in tandem with props.conf.

# There is a transforms.conf in the default directory ($SPLUNK_HOME/etc/bundles/default/). 
# To set custom configurations, place a transforms.conf in your own custom bundle directory.

# Override host:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

# Extracted fields:

[netscreen-error]
REGEX = device_id=[^ ]+\s+\[w+\](.*)(?
FORMAT = err_code::$1

# Mask sensitive data:

[session-anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=########$2
DEST_KEY = _raw

# Route to an alternate index:

[AppRedirect]
REGEX = Application
DEST_KEY = _MetaData:Index
FORMAT = Verbose

# Extract comma-delimited values into fields:

[extract_csv]
DELIMS = ","
FIELDS = "field1", "field2", "field3"

# This example assigns the extracted values from _raw to field1, field2 and field3 (in order of 
# extraction). If more than three values are extracted the values without a matching field name 
# are ignored.

# Extract key-value pairs:

[pipe_eq]
DELIMS = "|", "="

# This example extracts key-value pairs which are separated by '|'
# while the key is delimited from value by '='.
Previous: transactiontypes.conf    |    Next: user-seed.conf

Comments

No comments have been submitted.

Log in to comment.