Splunk Search

how to extract fields from one event in a log file and append them to other events in same log?

blee_i365
Explorer

My log files:

=============

2011-06-05 05:11:23.234 Program Version 10.02.2345

2011-06-05 05:11:23.239 event 1

2011-06-05 05:11:23.250 event 2

...

...

2011-06-05 10:10:13.150 event 20000

2011-06-05 10:10:13.151 event 20001

=============

I'd like to include a "ProgramVersion" field with value "10.02.2345" in all events contained in the same log file. With field extraction I can easily create this field and assign it the value 10.02.2345. However this field is not associated with subsequent events. Is there a way to achieve this?

Tags (3)
1 Solution

mw
Splunk Employee
Splunk Employee

Ah, gotcha. Something like this maybe:

source=mysource.log event=* | appendcols [search source=mysource.log ProgramVersion=* | fields ProgramVersion]

View solution in original post

blee_i365
Explorer

Thank you mv. That gets what I need.

0 Karma

mw
Splunk Employee
Splunk Employee

Ah, gotcha. Something like this maybe:

source=mysource.log event=* | appendcols [search source=mysource.log ProgramVersion=* | fields ProgramVersion]

blee_i365
Explorer

Hi mv, thanks for the reply. Unfortunately that post doesn't seem to do what I want, which is when I search for "event 20001" for example (or any event within the same log file) I want it to also include a field called ProgramVersion containing value 10.02.2345.

Another way to put this is there is information of interest at the beginning of my log file, and I want this information to be visible to all events recorded in this log.

Thanks in advance.

0 Karma

mw
Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...