Our deployed application services have a static deployment name of this format:
{service name}-{environment}-{the release name}
Example: service1-stage-release-1-0-1
Where the tokens I'm interested in are:
service1
is irrelevant here since its value is equal to the sourcetype for all events in this application so I can already filter by sourcetype=service1
My goal is for each event to be able to filter thusly:
sourcetype=service1
environment=stage
release_name=release-1-0-1
This Deployment Name is currently held as a value in user-data (these are EC2 instances), though we could simply write it out to a splunk config file on first boot of these servers.
I've been reading the props.conf and transforms.conf docs but I have been unable to determine how to enable to functionality described above. Any pointers, links, and/or advice greatly appreciated.
thanks,
Sam
If you're going to assign these fields values based on what server they're collected from at the time of collection, you'll need to set index-time fields, which you can do with the write-meta command. Here's an example from another "answer". Instead of using it by sourcetype, use it by host=*.
http://answers.splunk.com/answers/97641/custom-fields-at-index-time
Jon, thanks for the reply, very helpful.
These props and transforms conf files are working for me, I get app_env
, and app-_release
fields on the left pane that I can filter by.
Do you see any improvements or simplifications that can be made?
# ---- props.conf ---- [host::*] TRANSFORMS-release_name = release_name
# ---- transforms.conf ----- [release_name] REGEX=(.*) FORMAT=$1 app_env::stage app_release::1-0-13-1 WRITE_META = true