I have a dedicated index for syslogs that I would like to add a 'static field' to:
MonFunc=sysmsgs ### Add to all events in this index
I'm trying to merge this data with related info in another logging index (which has a field extract for various function errors, generating the MonFunc). But, doing an aggregate table-based summary (from all indexes), grouped by MonFunc, has all the syslogs showing up as NULL.
I know of one possible workaround (our monitor system has its own filter and log, adding its own msg before the actual syslog), but would prefer a 'simpler' solution than generating a custom syslog extractor. It would also end up bypassing other data that may be useful long-term, which I'm trying to avoid.
To add a static kv pair to all events in an index I would recommend using a lookup table to map index->MonFunc. The trick is to use a global (no stanza) property unless you can scope to a particular source/sourcetype/host. I didn't find the name of your index, so be sure to change "index_name" to reflect the name of the index you want to assign the kv pair to:
## MonFunc.csv index,MonFunc index_name,sysmsgs ## transforms.conf [MonFunc_lookup] filename = MonFunc.csv ## props.conf LOOKUP-MonFunc_for_index_name = MonFunc_lookup index OUTPUT MonFunc
RFC 5424 and Structured Data with Splunk 2 Answers