Databases Reference
In-Depth Information
Remember that transforms are applied after parsing, so changing
metadata fields via transforms cannot be used to affect which
props.conf
stanzas are applied for date parsing or line breaking.
For instance, with syslog events that contain the hostname, you
cannot change the time zone because the date has already been
parsed before the transforms are applied.
The keys provided by Splunk include:
•
_raw
(this is the default value for
SOURCE_KEY
)
•
MetaData:Source
•
MetaData:Sourcetype
•
MetaData:Host
•
_MetaData:Index
Overriding host
If your hostnames are appearing differently from different sources, for instance,
syslog versus Splunk Forwarders, you can use a transform to normalize these values.
Given our hostname
vlbmba.local
, we may want to only keep the portion to the left
of the first period. The stanza would look like this:
[normalize_host]
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Host
REGEX = (.*?)\.
FORMAT = host::$1
This will replace our hostname with
vlbmba
. Note these two things:
•
WRITE_META
is not included because we are not adding to the metadata of
this event; we are instead overwriting the value of a core metadata field
•
host::
must be included at the beginning of the format
Overriding source
Some applications will write a log for each session, conversation, or transaction.
One problem this introduces is an explosion of
source
values. The values of
source
will end up in
$SPLUNK_HOME/var/lib/splunk/*/db/Sources.data
—one line per
unique value of
source
. This file will eventually grow to a huge size, and Splunk
will waste a lot of time updating it, causing unexplained pauses. A new setting in
indexes.conf
called
disableGlobalMetadata
, can also eliminate this problem.
Search WWH ::
Custom Search