Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Creating Index time fields for your HF's

Jarohnimo
Builder
‎11-10-2020 06:36 AM

I'm trying to follow guides on how to create a new indexed field. Basically creating a field that gives us the name of the hf the data came from: "Splunk_HF"

Im having a hard time understanding how to actually grab the heavy forwarders name. If this was a raw log i would attempt to do regex on the host based on where that name in we can within the log but here in drawing a blank. It's like I'm pulling the info from the air and I simply don't know the right syntax to make this happen

I'm sure plenty have done it his before and it should be similar for each of us. Can someone please stir me in the right direction with my configurations

 

This is my idea so far, can someone please correct my mistakes


Transforms.conf
[getting_splunk_forwarder]
DEST_KEY = MetaData:Host
REGEX = I have no idea
Format = host::$1

Props.conf
TRANSFORMS-extract = getting_splunk_forwarder

Fields.conf
[getting_splunk_forwarder]
INDEXED = true

 

I really do appreciate splunk docs and generally people will post links for answers by themselves, but if someone could please show me the proper syntax in the stanza it will help me understand.

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2020 07:22 AM

A regex won't do since the name of the HF is not to be found in the data so it can't be extracted.  Consider using INGEST_EVAL to create the desired field.

Transforms.conf:

 

[getting_splunk_forwarder]
INGEST_EVAL = Splunk_HF="foo"

 

 Unfortunately, I believe the value needs to be hard-coded since Splunk can't take advantage of environment variables.

BTW, resist the urge to put the HF name in the host field.  You'll find it less useful than you think and you'll lose the original host of the data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...