Documentation > Splunk > Admin Manual > transforms.conf

Admin Manual

 


Getting Started
How Splunk Works
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Granular Access Control
Data Distribution
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

transforms.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

transforms.conf

Transforms.conf specifies transformations to apply to events based on regex-based patterns, including rules for correlating events to create meta-events, extracting fields or masking event text.


These transformations are applied to events from particular sources, hosts or sourcetypes via props.conf.


transforms.conf.spec 

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains possible attribute/value pairs for controlling Splunk Server regex configuration.
# You can tie your regexes defined here to a custom props.conf file.
# There is a transforms.conf in the default bundle.  To set custom configurations, place a
# transforms.conf in $SPLUNK_HOME/etc/bundles/local/ or your own custom bundle directory.
#
# A configuration looks like:
[<regex name>]
attribute1 = val1
attribute2 = val2
...
# The precedence rules are the same as in props.conf.spec.
# The possible attributes/value pairs, and their default values, are:
SOURCE_KEY = <string>
     * Set which KEY to perform the regex on.
     * Use the KEYs listed below.
     * Defaults to _raw.
LOOKAHEAD = <integer>
        * Specifies how many characters into the string to search.
        * Defaults to 256.
REGEX = <regular expression>
        * If set, this is the regular expression that will operate on the data.
        * Defaults to empty.
FORMAT = <string>
        * A string with arguments specified by $n, where n represents the output
    of the n-th parenthesized group of the REGEX. 
    * If the regex does not have n groups, the matching fails. 
    * The special identifier $0 represents what was in the DEST_KEY before this regex was performed.
    * Defaults to $1.
DEFAULT_VALUE = <string>
        * If set, and the regex fails, this value will be written to the DEST_KEY.
        * Defaults to empty.
DEST_KEY = <string>
        * Specifies where the formatted result of running the regex should be stored.
        * Use the KEYs listed below.
REPEAT_MATCH = <true/false>
        * Specifies whether the regular expression should be run several times on the SOURCE_KEY. 
    * REPEAT_MATCH starts wherever the last match stopped, and continues until no more matches are found.
    * Defaults to false.
WRITE_META = <true/false>
        * Specifies that whatever was written to DEST_KEY should also be appended to
    the metadata for the event.
        * Defaults to false.
 
# Splunk KEYs for events
# Please note: the contents of a key that doesn't start with _ will be indexed without being segmented.
_raw  : The raw text of the event.
_meta : A space separated list of metadata for an event.
        The metadata is displayed below the event in SplunkWeb.
_time : The timestamp of the event, in seconds since 1/1/1970 UTC.
queue : The queue to be used by the next queue output processor.
cluster : A cluster identifier to be used to create meta events.
MetaData:Host       : The host associated with the event.
                      The value must be prefixed by "host::"
_MetaData:Index     : The index where the event should be stored.
MetaData:Source     : The source associated with the event.
                      The value must be prefixed by "source::"
MetaData:Sourcetype : The sourcetype of the event.
                      The value must be prefixed by "sourcetype::"

transforms.conf.example 

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# Here are several example configurations for transforms.conf.
# Please note:  you must map your transforms to a specific host, source or sourcetype via an entry
# in props.conf.  See example props.conf or Splunk documentation for instructions.
# Also you will need to change the example regexes to match your data.
# Override host:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1
# Extracted fields:
[netscreen-error]
REGEX = device_id=[^ ]+\s+\[w+\](.*)(?
FORMAT = err_code::$1
# Mask sensitive data:
[session-anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=########$2
DEST_KEY = _raw
# Meta events -- this creates a meta event for each IP address via regex:
[access-ip]
DEST_KEY      = cluster
REGEX         = (\d+\.\d+\.\d+\.\d+)
DEFAULT_VALUE = 
PREPEND       = ip::
WRITE_META    = False
# Route to an alternate index:
[AppRedirect]
REGEX = Application
DEST_KEY = _MetaData:index
FORMAT = Verbose
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.4/Admin/Transformsconf"

This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!