If I have Key-Value pair events and fields that are automatically extracted with `KV_MODE=auto` in props.conf, can I apply a field transformation to an extracted field?
For example, I have a field UserName that appears in the raw events like (e.g., ... UserName="ryan" ...). I want a field **user** to appear at search-time, but I don't want to use and EVAL- or a FIELDALIAS- clause in props.conf, because I don't to overload the server and how it looks for fields (see https://splunkbase.splunk.com/app/2871/ and explanation about how litsearch works).
I have tried using this in props.conf
[my_src_type]
KV_MODE = auto
REPORT-extractions = RenameUser,ExtractSessionType
And the following in transforms.conf
[RenameUser]
SOURCE_KEY = UserName
REGEX = (.+)
FORMAT = user::"$1"
[ExtractSessionType]
REGEX = SessionName="(?\w+(-\w+)*)\S*"
The "SessionType" field extractions from the "SessionName" field are successful, but the "UserName" field is never renamed to "user".
Is this possible with the Key-Value extractions being applied first?
I have looked in the job inspector and found no mention of errors or issues.
↧