Databases Reference
In-Depth Information
transforms.conf
transforms.conf
is where we specify transformations and lookups that can then
be applied to any event. These transforms and lookups are referenced by name in
props.conf
.
For our examples in the later subsections, we will use this event:
2012-09-24T00:21:35.925+0000 DEBUG [MBX] Password reset called.
[old=1234, new=secret, req_time=5346]
We will use it with these metadata values:
sourcetype=myapp
source=/logs/myapp.session_foo-jA5MDkyMjEwMTIK.log
host=vlbmba.local
Creating indexed fields
One common task accomplished with
transforms.conf
is the creation of new
indexed fields. Indexed fields are different from extracted fields in that they must be
created at index time and can be searched for whether the value is in the raw text of
the event or not. It is usually preferable to create extracted fields instead of indexed
fields. See
Chapter 3
,
Indexed fields versus extracted fields
, for a deeper discussion about
when indexed fields are beneficial.
Indexed fields are only applied to events that are indexed after the
definition is created. There is no way to backfill a field without reindexing.
Creating a loglevel field
The format of a typical stanza in
transforms.conf
looks like this:
[myapp_loglevel]
REGEX = \s([A-Z]+)\s
FORMAT = loglevel::$1
WRITE_META = True
This will add to our events the field
loglevel=DEBUG
. This is a good idea if the
values of
loglevel
are common words outside of this location, for instance
ERROR
.
Search WWH ::
Custom Search