transforms.conf

transforms.conf

Transforms.conf specifies transformations to apply to events based on regex-based patterns, including rules for extracting fields or masking event text.

These transformations are applied to events from particular sources, hosts or sourcetypes via props.conf.

transforms.conf.spec

# This file contains possible attributes and values you can use to configure transform
# and event signing in transforms.conf.
#
# There is a transforms.conf in $SPLUNK_HOME/etc/bundles/default/.  To set custom configurations, 
# place a transforms.conf in your own custom bundle directory.  For examples, see transforms.conf.example.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
[$UNIQUE_STANZA_NAME]
	* Name your stanza. Use this name to configure props.conf.
		* For example, in a props.conf stanza, enter TRANSFORMS-$VALUE = $UNIQUE_STANZA_NAME.
	* Follow this stanza name with any number of the following attribute/value pairs.  
	* If you do not specify an entry for each attribute, Splunk will use the default value.
SOURCE_KEY = <string>
     * Set which KEY to perform the regex on.
     * Use the KEYs listed below.
     * Defaults to _raw.
LOOKAHEAD = <integer>
	* Specify how many characters into the string to search.
	* Defaults to 256.
REGEX = <regular expression>
  	* If set, this is the regular expression that will operate on the data.
  	* Defaults to empty.
FORMAT = <string>
  	* A string with arguments specified by $n, where n represents the output
    of the n-th parenthesized group of the REGEX. 
    * If the regex does not have n groups, the matching fails. 
    * The special identifier $0 represents what was in the DEST_KEY before this regex was performed.
    * Defaults to $1.
DELIMS = <quoted string>
  	* Set delimiter characters to separate data into key-value pairs, and then to seperate key from value.
   	* NOTE: Delimiters must be quoted with " " (to escape, use \).
  	* Usually, two sets of delimiter characters must be specified: 
  		* the first to extract key/value pairs.
  		* the second to seperate the key from the value.
    * If you enter only one set of delimiter characters, then the extracted tokens:
    	* Are named with names from "fields", if "fields" are entered (below).
    	* OR even tokens are used as field names while odd tokens become field-values. 
  
FIELDS = <quoted string list>
 	* List the names of the field values extracted using "delims."
  	* NOTE: If field names contain spaces or commas they must be quoted with " " (to escape, use \).
  	* Defaults to "".
DEFAULT_VALUE = <string>
  	* If set, and the regex fails, this value will be written to the DEST_KEY.
  	* Defaults to empty.
DEST_KEY = <string>
  	* Specifies where the formatted result of running the regex should be stored.
  	* Use the KEYs listed below.
REPEAT_MATCH = <true/false>
 	* Specifies whether the regular expression should be run several times on the SOURCE_KEY. 
    * REPEAT_MATCH starts wherever the last match stopped, and continues until no more matches are found.
    * Defaults to false.
WRITE_META = <true/false>
 	* Specifies that whatever was written to DEST_KEY should also be appended to the metadata for the event.
	* Defaults to false.
 
# Splunk KEYs for events:
_raw  : The raw text of the event.
_done : If set to any string this is the last event in a stream.
_meta : A space separated list of "meta data" for an event.
        The meta data is displayed below the event in the SplunkWeb.
_time : The timestamp of the event, in seconds since 1/1/1970 UTC.
queue : The queue to be used by the next queue output processor.
cluster : A cluster identifier to be used to create meta events.
MetaData:FinalType  : The event type of the event.
MetaData:Host       : The host associated with the event.
                      The value must be prefixed by "host::"
_MetaData:Index     : The index where the event should be stored.
MetaData:Source     : The source associated with the event.
                      The value must be prefixed by "source::"
MetaData:Sourcetype : The sourcetype of the event.
                      The value must be prefixed by "sourcetype::"
Any KEY prefixed by '_' will not be indexed by splunk, in general.

transforms.conf.example

# This is an example transforms.conf.  Use this file to create regexes and rules for transforms.
# Use this file in tandem with props.conf.
# There is a transforms.conf in the default directory ($SPLUNK_HOME/etc/bundles/default/). 
# To set custom configurations, place a transforms.conf in your own custom bundle directory.
# Override host:
[hostoverride]
DEST_KEY = MetaData:Host
REGEX = \s(\w*)$
FORMAT = host::$1
# Extracted fields:
[netscreen-error]
REGEX = device_id=[^ ]+\s+\[w+\](.*)(?
FORMAT = err_code::$1
# Mask sensitive data:
[session-anonymizer]
REGEX = (?m)^(.*)SessionId=\w+(\w{4}[&"].*)$
FORMAT = $1SessionId=########$2
DEST_KEY = _raw
# Route to an alternate index:
[AppRedirect]
REGEX = Application
DEST_KEY = _MetaData:Index
FORMAT = Verbose
# Extract comma-delimited values into fields:
[extract_csv]
DELIMS = ","
FIELDS = "field1", "field2", "field3"
# This example assigns the extracted values from _raw to field1, field2 and field3 (in order of 
# extraction). If more than three values are extracted the values without a matching field name 
# are ignored.
# Extract key-value pairs:
[pipe_eq]
DELIMS = "|", "="
# This example extracts key-value pairs which are separated by '|'
# while the key is delimited from value by '='.

• Was this topic useful?
• Post a comment