This basic example creates an indexed field called device_id_new. Set INDEXED=true to indicate that the field is indexed. is the name of the custom field you set in the unique Source ::, where is the source for an event. nf < uniquetransformstanzaname > REGEX < regularexpression > FORMAT < yourcustomfieldname >::1.Use it to specify how many characters to search into an event. I haven't seen it used for changing the index name. The typical use case, however, is to discard events that match a regular expression. Set it to true to run the REGEX multiple times on the SOURCE_KEY. nf universal forwarder Screenshot 141837.png 5 KB 0 Karma Reply All forum topics Previous Topic Next Topic richgalloway SplunkTrust yesterday That method can be confusing. You use it to identify a KEY whose values the REGEX should be applied to. The value for this attribute is written to DEST_KEY if the REGEX fails. It specifies where Splunk sends the results of the REGEX. DEST_KEY is required for index-time field extractions where WRITE_META = false or is not set.WRITE_META = true writes the extracted field name and value to _meta, which is where Splunk stores indexed fields.You don’t need to specify the FORMAT if you have a simple REGEX with name-capturing groups. Use it to specify the format of the field-value pair(s) that you are extracting, including any field names or values that you want to add. REGEX is a regular expression that operates on your data to extract fields.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |