Hi ,
I'm a newbie to splunk in field extractions. Appreciate any help on this.
I have JSON Format logs like below:
![alt text][1]
[1]: /storage/temp/166244-json.png
I want source and tag as a field i.e it should not appear in events instead as separate fields like the way default fields appear on the left hand side in UI. Also I want the word "line:" to be removed. so basically only my line event should appear in splunk. How can I achieve this?
I believe props.conf and transforms should be a solution. But I dont know how to approach that. My transforms should contain a regex to capture what? I'm not understandin what my regex should do?
↧