I was reading documentation, though I didn't see anything on if it's possible to set an index wide property within props.conf.
For instance:
[my_sourcetype]
REGEX-field1 - field_(?<myfield>\w+)
Is there a way to add an extracted field to a sourcetype?
Is there such a thing as this, or a way to do it for an entire index?
[my_index]
REGEX-field1 - field_(?<myfield>\w+)
You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge.
[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]
Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host
The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.
Cheers I hope this helps
You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge.
[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]
Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host
The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.
Cheers I hope this helps
Thank you! I knew about this way, but unfortunately I need to limit it by index. =( I didn't think there was a way, but I just wanted to throw it out there and see if I was missing something.
Thank you so much!
I believe field extractions have an absolute requirement of selecting a certain sourcetype for performing these extractions. One reason why I could think a global extraction (even if limited to a single index) would be problematic is unnecessary load on Spunk scanning through copious amounts of events to find out that there was no regex match.
I assume that you have events from multiple events from different sourcetypes that you want the same field extraction to be applied to?
-Sean