Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extracting field from source for indexing

Krishna_R
Path Finder
‎09-12-2010 12:29 PM

Hi,

I have to add a field which has to be indexed along with the default fields. I can pick up the value from the Source directory name in the monitored path.

For e.g.: inputs.conf:

[monitor://c:\splunk-data\...\*]

I want the new field 'project_number' value from the directory replacing ... (There are a lot of values for 'project' and all the queries will use the 'project' as a filter, so its better indexed)

The problem is I'm not able to extract the field name from the Source. Following is teh configuration files in my app.

fields.conf:

[project_number]
INDEX = True
INDEXED_VALUE = False

props.conf:

[mysourcetype]
EXTRACT-...
TRANSFORM-FIELDS = get_project_num

transforms.conf:

SOURCE_KEY = Metadata:Source
REGEX = C:\\splunk\-data\\([0-9\-]*)\\([0-9\-]*)
FORMAT = project_number::"$1"
WRITE_META=true

The monitor is picking up the new files as I add to test, but the project_number field is never populated.

Please let me know if I'm missing something.

Thank you, Krishna

Tags (1)
Reply

drrushi_splunk
Splunk Employee
Splunk Employee
‎01-31-2012 06:03 PM

[project_number]
INDEX = True
INDEXED_VALUE = False

this should be sufficient:

[project_number]
INDEXED = True

0 Karma
Reply

Branden
Builder
‎09-12-2010 02:08 PM

I think you need to include the [get_project_num] stanza in your transforms.conf. Like this:

[get_project_num]
SOURCE_KEY = MetaData:Source
REGEX = C:\splunk-data\([0-9-])\([0-9-])
FORMAT = project_number::"$1"
WRITE_META = true

I think your regex may be off too. In your inputs.conf, you're monitoring "c:\splunk-data...*". But your transforms.conf regex includes a slash after c:\splunk-data. That may be correct, but it looks inconsistent with what you typed as your inputs.conf example.

Anyways, I hope this helped. 🙂

0 Karma
Reply

Krishna_R
Path Finder
‎09-14-2010 04:01 AM

Hey Branden, thanks for your reply, missed to reply yesterday. I have to use the extra slash for escaping the slash - as with standard regex. Otherwise there are varying error messages...

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...