transforms.conf

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This is an example transforms.conf.  Use this file to create regexes and rules for transforms.
# Use this file in tandem with props.conf.
#
# To use one or more of these configurations, copy the configuration block into transforms.conf 
# in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/doc/latest/admin/BundlesIntro.

# Override host:

[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1

# Extracted fields:

[netscreen-error]
REGEX = device_id=[^ ]+\s+\[w+\](.*)(?
FORMAT = err_code::$1

# Mask sensitive data:

[session-anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=########$2
DEST_KEY = _raw

# Route to an alternate index:

[AppRedirect]
REGEX = Application
DEST_KEY = _MetaData:index
FORMAT = Verbose

# Extract comma-delimited values into fields
# This example assigns the extracted values from _raw to field1, field2 and field3 (in order of 
# extraction). If more than three values are extracted the values without a matching field name 
# are ignored.

[extract_csv]
DELIMS = ","
FIELDS = "field1", "field2", "field3"

# Extract key-value pairs
# This example extracts key-value pairs which are separated by '|'
# while the key is delimited from value by '='.

[pipe_eq]
DELIMS = "|", "="

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0
#
# This file contains possible attributes and values you can use to configure transform
# and event signing in transforms.conf.
#
# There is a transforms.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place a transforms.conf $SPLUNK_HOME/etc/system/local/.  For examples, see transforms.conf.example.
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/doc/latest/admin/BundlesIntro.

[$UNIQUE_STANZA_NAME]
        * Name your stanza. Use this name to configure props.conf.
                * For example, in a props.conf stanza, enter TRANSFORMS-$VALUE = $UNIQUE_STANZA_NAME.
        * Follow this stanza name with any number of the following attribute/value pairs.  
        * If you do not specify an entry for each attribute, Splunk uses the default value.

SOURCE_KEY = <string>
     * Set which KEY to perform the regex on.
     * Use the KEYs listed below.
     * Defaults to _raw.

LOOKAHEAD = <integer>
        * Specify how many characters into the string to search.
        * Defaults to 256.

REGEX = <regular expression>
        * Specify a regular expression to operate on the data.
        * Defaults to empty.

FORMAT = <string>
        * A string with arguments specified by $n, where n represents the output
    of the n-th parenthesized group of the REGEX. 
    * If the regex does not have n groups, the matching fails. 
    * The special identifier $0 represents what was in the DEST_KEY before this regex was performed.
    * Defaults to $1.

DELIMS = <quoted string>
        * Set delimiter characters to separate data into key-value pairs, and then to separate key from value.
        * NOTE: Delimiters must be quoted with " " (to escape, use \).
        * Usually, two sets of delimiter characters must be specified: 
                * The first to extract key/value pairs.
                * The second to separate the key from the value.
    * If you enter only one set of delimiter characters, then the extracted tokens:
        * Are named with names from "fields", if "fields" are entered (below).
        * OR even tokens are used as field names while odd tokens become field-values. 
    * Consecutive delimiter characters are consumed except when a list of field names is specified. 
  
FIELDS = <quoted string list>
        * List the names of the field values extracted using "delims."
        * NOTE: If field names contain spaces or commas they must be quoted with " " (to escape, use \).
        * Defaults to "".

DEFAULT_VALUE = <string>
        * If set, and REGEX (above) fails, this value is written to the DEST_KEY.
        * Defaults to empty.

DEST_KEY = <string>
        * Specifies where the formatted result of running REGEX should be stored.
        * Use the KEYs listed below.

REPEAT_MATCH = <true/false>
        * Specifies whether the REGEX should be run several times on the SOURCE_KEY. 
    * REPEAT_MATCH starts wherever the last match stopped, and continues until no more matches are found.
    * Defaults to false.

WRITE_META = <true/false>
        * Specifies that whatever was written to DEST_KEY should also be appended to the metadata for the event.
        * Defaults to false.
 
# Splunk KEYs for events:
_raw  : The raw text of the event.

_done : If set to any string this is the last event in a stream.

_meta : A space separated list of metadata for an event.
        The metadata is displayed below the event in the Splunk Web.

_time : The timestamp of the event, in seconds since 1/1/1970 UTC.

queue : The queue to be used by the next queue output processor.

cluster : A cluster identifier to be used to create meta events.

MetaData:FinalType  : The event type of the event.

MetaData:Host       : The host associated with the event.
                      The value must be prefixed by "host::"

_MetaData:Index     : The index where the event should be stored.

MetaData:Source     : The source associated with the event.
                      The value must be prefixed by "source::"

MetaData:Sourcetype : The sourcetype of the event.
                      The value must be prefixed by "sourcetype::"

Any KEY prefixed by '_' are not indexed by splunk, in general.