I don't seem to be able to set up a field transformation using a Source Key that comes from a JSON event field.
I have events like this:
{
"time": "2013-06-23T13:55:37+00:00",
"handler": "UsersController#index"
}
And I'd like to extract "UsersController" and "index" from the "handler" field. I have props.conf configured with KV_MODE=json
I added this transform via the GUI:
[controller_action_transform]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = (?<controller>.*)#(?<action>.*)
SOURCE_KEY = handler
and this field extraction:
[json]
REPORT-controller_action_extraction = controller_action_transform
however, when I do a query like this:
sourcetype=json | table handler controller action
I do get results for "handler" but don't get anything for "controller" or "action":
| handler | controller | action |
-----------------------------------------------
| UsersController#index | | |
If I change the transform SOURCE_KEY to "_raw" then I do get results for controller & action (though not exactly correct).
Also, I can do an inline "rex" field extraction using the "handler" field and get the correct results. That is, this works just fine:
sourcetype=json | rex field=handler "(?<controller>.*)#(?<action>.*)" | table handler controller action
Am I doing something wrong with the transform? Are JSON-extracted fields not available for use in transforms or something?
(NOTE: The above is just some sample data I created for testing this out. The real logs that I need to use this on have more data and nested keys and so forth, so a workaround that involves not using the extracted JSON fields would be pretty non-ideal.)