Refine your search:

0
1

I have a dedicated index for syslogs that I would like to add a 'static field' to:

MonFunc=sysmsgs ### Add to all events in this index

I'm trying to merge this data with related info in another logging index (which has a field extract for various function errors, generating the MonFunc). But, doing an aggregate table-based summary (from all indexes), grouped by MonFunc, has all the syslogs showing up as NULL.

I know of one possible workaround (our monitor system has its own filter and log, adding its own msg before the actual syslog), but would prefer a 'simpler' solution than generating a custom syslog extractor. It would also end up bypassing other data that may be useful long-term, which I'm trying to avoid.

asked 20 Apr '11, 04:48

tskimball's gravatar image

tskimball
134
accept rate: 0%

edited 20 Apr '11, 04:50

Are you simply trying to insert a placeholder field which will be later defined by other query?

(20 Apr '11, 05:45) netwrkr

This is for adding an (already defined) field that shows what function the message came from.

In the case of our monitoring app, all syslogs come from a function named 'sysmsgs.' Setting that field for all incoming syslogs will help prevent confusion for our end users.

(20 Apr '11, 21:35) tskimball

2 Answers:

To add a static kv pair to all events in an index I would recommend using a lookup table to map index->MonFunc. The trick is to use a global (no stanza) property unless you can scope to a particular source/sourcetype/host. I didn't find the name of your index, so be sure to change "index_name" to reflect the name of the index you want to assign the kv pair to:

## MonFunc.csv
index,MonFunc
index_name,sysmsgs

## transforms.conf
[MonFunc_lookup]
filename = MonFunc.csv

## props.conf
LOOKUP-MonFunc_for_index_name = MonFunc_lookup index OUTPUT MonFunc
link

answered 20 Apr '11, 10:54

hazekamp's gravatar image

hazekamp
2.5k2320
accept rate: 38%

edited 20 Apr '11, 10:55

Excellent, that worked. Thanks.

(20 Apr '11, 21:42) tskimball

Devise a common sourcetype

example lookup csv called myexample.csv

sourcetype,SLA,NAME,VALUE foobar,99,TechnicalError,456

transforms.conf:

[myexamplelookup] filename=myexample.csv

props.conf [foobar] LOOKUP-myexamplelookup = myexamplelookup sourcetype VALUE OUTPUT SLA NAME VALUE

link

answered 21 Sep '12, 20:06

davecroto's gravatar image

davecroto
7184412
accept rate: 13%

edited 21 Sep '12, 20:08

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×652
×393
×18

Asked: 20 Apr '11, 04:48

Seen: 1,213 times

Last updated: 21 Sep '12, 20:08

Copyright © 2005-2014 Splunk Inc. All rights reserved.