Hi folks,
I'm trying to add an indexed field to a distributed setup, but I can't seem to get it working. (I'm aware that indexed fields are not typically recommended)
Here's the scenario: I have multiple indexers at different locations. I need to add a field to every message that is processed which includes the site where it came from.
On my search head (which is distributing the confs to the indexers), I have the following:
/opt/splunk/etc/system/local/props.conf:
[syslog]
TRANSFORMS-location = add_location
/opt/splunk/etc/system/local/transforms.conf
[add_location]
SOURCE_KEY = location
REGEX = (.*)
FORMAT = location::$1
WRITE_META = true
/opt/splunk/etc/system/local/fields.conf
[location]
INDEXED = true
INDEXED_VALUE = false
On the indexer I'm testing with, I have the following:
/opt/splunk/etc/apps/search/local/inputs.conf
[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
location = ny
I found a similar question that I've used as a guide.
Any ideas? Are there any logs/commands that I can use to see why the indexed field isn't getting added to the events?
Thanks.
I was able to get this working. Here's what my conf files look now:
/opt/splunk/etc/system/local/props.conf:
[syslog]
# TRANSFORMS-location = add_location
/opt/splunk/etc/system/local/transforms.conf
# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true
/opt/splunk/etc/system/local/fields.conf
# [location]
# INDEXED = true
# INDEXED_VALUE = false
On the indexer I'm testing with, I have the following:
/opt/splunk/etc/apps/search/local/inputs.conf
[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy
It should be noted that the field splunk_server
is included in every event, and this indicates which indexer it came from. You can search or report on this field. If you must have a field by another name and map the splunk_server names to locations, you would be better off using a lookup table to map splunk_server
names to location
values.
I was able to get this working. Here's what my conf files look now:
/opt/splunk/etc/system/local/props.conf:
[syslog]
# TRANSFORMS-location = add_location
/opt/splunk/etc/system/local/transforms.conf
# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true
/opt/splunk/etc/system/local/fields.conf
# [location]
# INDEXED = true
# INDEXED_VALUE = false
On the indexer I'm testing with, I have the following:
/opt/splunk/etc/apps/search/local/inputs.conf
[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy