I have a name value data stream which contains the following - ` "msg_sourcetype": "syslog-test"`. How can I set the `sourcetype` to be - `syslog-test`?
The following works - `| rex "msg_sourcetype\": \"(?[a-zA-Z]*)"` ignoring the dash for now.
So, I guess in `transforms.conf`, I can have something like following, but I'm not sure about the `one` field...
[_sourcetype]
REGEX = "msg_sourcetype\": \"(?[a-zA-Z]*)"
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype
The following is a big help - [Set host values based on event data][1]
[1]: https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Data/Overridedefaulthostassignments
↧