Getting Data In

How to add an indexed field in a distributed setup?

infrauser
Explorer

Hi folks,

I'm trying to add an indexed field to a distributed setup, but I can't seem to get it working. (I'm aware that indexed fields are not typically recommended)

Here's the scenario: I have multiple indexers at different locations. I need to add a field to every message that is processed which includes the site where it came from.

On my search head (which is distributing the confs to the indexers), I have the following:

/opt/splunk/etc/system/local/props.conf:

[syslog]
TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

[add_location]
SOURCE_KEY = location
REGEX = (.*)
FORMAT = location::$1
WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

[location]
INDEXED = true
INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
location = ny

I found a similar question that I've used as a guide.

Any ideas? Are there any logs/commands that I can use to see why the indexed field isn't getting added to the events?

Thanks.

Tags (2)
1 Solution

infrauser
Explorer

I was able to get this working. Here's what my conf files look now:

/opt/splunk/etc/system/local/props.conf:

[syslog]
# TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

# [location]
# INDEXED = true
# INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It should be noted that the field splunk_server is included in every event, and this indicates which indexer it came from. You can search or report on this field. If you must have a field by another name and map the splunk_server names to locations, you would be better off using a lookup table to map splunk_server names to location values.

0 Karma

infrauser
Explorer

I was able to get this working. Here's what my conf files look now:

/opt/splunk/etc/system/local/props.conf:

[syslog]
# TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

# [location]
# INDEXED = true
# INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...