The format of a typical stanza in transforms.conf looks like this:
[myapp_loglevel] REGEX = s([A-Z]+)s FORMAT = loglevel::$1 WRITE_META = True
This will add to our events the field loglevel=DEBUG. This is a good idea if the values of loglevel are common words outside of this location, for instance ERROR.
Walking through this stanza, we have the following:
- [myapp_loglevel]: The stanza can be any unique value, but it is in your best interest to make the name meaningful. This is the name referenced in props.conf.
- REGEX = s([A-Z]+)s: This is the pattern to test against each event that is handed to us. If this pattern does not match, this transform will not be applied.
- FORMAT = loglevel::$1: Create the loglevel. Under the hood, all indexed fields are stored using a :: delimiter, so we have to follow that form.
- WRITE_META = True: Without this attribute, the transform won't actually create an indexed field and store it with the event.