Hi,
I have to add a field which has to be indexed along with the default fields. I can pick up the value from the Source directory name in the monitored path.
For e.g.: inputs.conf:
[monitor://c:\splunk-data\...\*]
I want the new field 'project_number' value from the directory replacing ... (There are a lot of values for 'project' and all the queries will use the 'project' as a filter, so its better indexed)
The problem is I'm not able to extract the field name from the Source. Following is teh configuration files in my app.
fields.conf:
[project_number]
INDEX = True
INDEXED_VALUE = False
props.conf:
[mysourcetype]
EXTRACT-...
TRANSFORM-FIELDS = get_project_num
transforms.conf:
SOURCE_KEY = Metadata:Source
REGEX = C:\\splunk\-data\\([0-9\-]*)\\([0-9\-]*)
FORMAT = project_number::"$1"
WRITE_META=true
The monitor is picking up the new files as I add to test, but the project_number field is never populated.
Please let me know if I'm missing something.
Thank you, Krishna
[project_number]
INDEX = True
INDEXED_VALUE = False
this should be sufficient:
[project_number]
INDEXED = True
I think you need to include the [get_project_num] stanza in your transforms.conf. Like this:
[get_project_num]
SOURCE_KEY = MetaData:Source
REGEX = C:\splunk-data\([0-9-])\([0-9-])
FORMAT = project_number::"$1"
WRITE_META = true
I think your regex may be off too. In your inputs.conf, you're monitoring "c:\splunk-data...*". But your transforms.conf regex includes a slash after c:\splunk-data. That may be correct, but it looks inconsistent with what you typed as your inputs.conf example.
Anyways, I hope this helped. 🙂
Hey Branden, thanks for your reply, missed to reply yesterday. I have to use the extra slash for escaping the slash - as with standard regex. Otherwise there are varying error messages...