Refine your search:


I have a dedicated index for syslogs that I would like to add a 'static field' to:

MonFunc=sysmsgs ### Add to all events in this index

I'm trying to merge this data with related info in another logging index (which has a field extract for various function errors, generating the MonFunc). But, doing an aggregate table-based summary (from all indexes), grouped by MonFunc, has all the syslogs showing up as NULL.

I know of one possible workaround (our monitor system has its own filter and log, adding its own msg before the actual syslog), but would prefer a 'simpler' solution than generating a custom syslog extractor. It would also end up bypassing other data that may be useful long-term, which I'm trying to avoid.

asked 20 Apr '11, 04:48

tskimball's gravatar image

accept rate: 0%

edited 20 Apr '11, 04:50

Are you simply trying to insert a placeholder field which will be later defined by other query?

(20 Apr '11, 05:45) netwrkr

This is for adding an (already defined) field that shows what function the message came from.

In the case of our monitoring app, all syslogs come from a function named 'sysmsgs.' Setting that field for all incoming syslogs will help prevent confusion for our end users.

(20 Apr '11, 21:35) tskimball

2 Answers:

To add a static kv pair to all events in an index I would recommend using a lookup table to map index->MonFunc. The trick is to use a global (no stanza) property unless you can scope to a particular source/sourcetype/host. I didn't find the name of your index, so be sure to change "index_name" to reflect the name of the index you want to assign the kv pair to:

## MonFunc.csv

## transforms.conf
filename = MonFunc.csv

## props.conf
LOOKUP-MonFunc_for_index_name = MonFunc_lookup index OUTPUT MonFunc

answered 20 Apr '11, 10:54

hazekamp's gravatar image

accept rate: 38%

edited 20 Apr '11, 10:55

Excellent, that worked. Thanks.

(20 Apr '11, 21:42) tskimball

Devise a common sourcetype

example lookup csv called myexample.csv

sourcetype,SLA,NAME,VALUE foobar,99,TechnicalError,456


[myexamplelookup] filename=myexample.csv

props.conf [foobar] LOOKUP-myexamplelookup = myexamplelookup sourcetype VALUE OUTPUT SLA NAME VALUE


answered 21 Sep '12, 20:06

davecroto's gravatar image

accept rate: 13%

edited 21 Sep '12, 20:08

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 20 Apr '11, 04:48

Seen: 1,213 times

Last updated: 21 Sep '12, 20:08

Copyright © 2005-2014 Splunk Inc. All rights reserved.