What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?
What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?
When configuring the transforms.conf file in Splunk to manipulate or remove events, the required stanza attributes are REGEX, DEST_KEY, and FORMAT. REGEX specifies the regular expression to match the data, DEST_KEY determines where Splunk stores the results of the transformation, and FORMAT specifies the format of the event after transformation. These attributes are essential for indexing and search-time field extraction configurations within Splunk.
C. REGEX, DEST_KEY, FORMAT
Agreed C. Doing a Ctrl+F within the Splunk reference URL https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf REGEX = <regular expression> * Enter a regular expression to operate on your data. FORMAT = <string> * NOTE: This option is valid for both index-time and search-time field extraction. Index-time field extraction configuration require the FORMAT settings. The FORMAT settings is optional for search-time field extraction configurations. * This setting specifies the format of the event, including any field names or values you want to add. DEST_KEY = <key> * NOTE: This setting is only valid for index-time field extractions. * Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.
C is correct
Confirming C. - Data Admin pdf, page 240-241. When SOURCE_KEY is omitted, _raw is used as default.
Latest version https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf