add dynamic field in splunk

chandansingh · ‎03-03-2011

Hi everyone , i would like to add a field in splunk.but field value does not come in result.

here my source are:- 1. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest1\host_name\afkcd01_KLZ_Disk_110208.csv 2. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest2\host_name\afkcd01_KLZ_Disk_110208.csv C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest3\host_name\afkcd01_KLZ_Disk_110208.csv

i want add field with name guest, as above sources there are diffirent diffirent guest like guest1, guest2 and guest. so i would like serch result based on guest field like:- index = "tougou" guest="guest1" index = "tougou" guest="guest2" as we know source always come in result. but i dont know how to add field guest in splunk. please help me to resolve this problem. thanx in advnce.

dwaddle · ‎03-03-2011

If I understand your question correctly, you want to extract a field from the "source" metadata associated with the event. (That is, not from the "_raw" event text.) As far as I know, the only way to do that is to create an indexed field. There are a number of caveats that go along with creating indexed fields - I would recommend discussing your exact scenario and its performance and other implications with Splunk support. That said, we use this as a basic formula for pulling indexed fields from "source":

(props.conf)
[tougou]
TRANSFORMS-guest=togou_guest

(transforms.conf)
[togou_guest]
SOURCE_KEY=MetaData:Source
REGEX=ntt_tougou\\tougou_logs\\([^\\]+)\\
FORMAT=guest::$1
WRITE_META=true

(I am a little unsure on the backslashes and how many are needed in the regex example. My day job is not Windows)

Docs related to this are at: http://www.splunk.com/base/Documentation/latest/Admin/Configureindex-timefieldextraction

add dynamic field in splunk

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms