Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ag-Splunk-n-Linux > transforms.conf basics > Flashcards

transforms.conf basics Flashcards

1
Q

What is transforms.conf?

A

It is a .conf file that allows us to make changes to the data that we onboarding, such as:

  • Sending events to NULL queue
  • Separating a single source type into multiple ones
  • Host ans sources overrides based on regex
  • Delimiter based field extractions
  • Anonymizing data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Splunk’s pipeline?

A

Pipeline is the route that the data takes when it comes through Splunk, and depending on the phase of that process, different things happen to the data, such as line breaking, line merging, time extraction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a queue?

A

It is a memory space to store data between pipelines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What kind of pipelines there is, and what do they do?

A

a) Parsing pipeline:
- parsing of utf8 decoding
- linebreaker
- header
- First place to split data stream into a single line event

b) Merging pipeline:
- aggregator
- line merging for multiline events
- time extraction

c) Typing pipeline:
- regex replacement
- annotator

d) Index pipeline:
- syslog out
- tcp out to another Splunk component
- indexer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What kind of queues there is? (in order)

A
  • parsing queue
  • aggregator queue
  • typing queue
  • index queue
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the transforms.conf stanza for discarding specific events?

A

[]
REGEX=
DEST_KEY=queue
FORMAT=nullQueue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the transforms.conf stanza for deleting all events BUT ones with xyz?

A

[]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[]
REGEX=xyz
DEST_key=queue
FORMAT=indexQueue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the transforms.conf stanza for splitting a log into multiple sourcetypes?

A

[]
REGEX=
DEST_KEY=Metadata:Sourcetype
FORMAT=sourcetype::xyz

[]
REGEX=
DEST_KEY=Metadata:Sourcetype
FORMAT=sourcetype::xyz2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the transforms.conf stanza for changing host name?

A

[]
REGEX=
DEST_KEY=Metadata:Host
FORMAT=

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the transforms.conf and props.conf for delimiter based field extraction?

A

props.conf:
[]
REPORT-=xyz

transforms.conf:
[xyz]
DELIMS=”,”
FIELDS=”saleTime”,”productName”,”somethingElse”,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the transforms.conf for masking data?

A

[xyz]
REGEX=
DEST_KEY=_raw
FORMAT=

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How to anonymize data with props.conf?

A

[]

SEDCMD-= s///g

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

ag-Splunk-n-Linux (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions