Splunk Search

Is there a way to configure an index wide props.conf stanza, not just sourcetype?

tmarlette
Motivator

I was reading documentation, though I didn't see anything on if it's possible to set an index wide property within props.conf.

For instance:

    [my_sourcetype]
    REGEX-field1 - field_(?<myfield>\w+)    

Is there a way to add an extracted field to a sourcetype?

Is there such a thing as this, or a way to do it for an entire index?

[my_index]
REGEX-field1 - field_(?<myfield>\w+) 
0 Karma
1 Solution

bmacias84
Champion

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge.

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.

Cheers I hope this helps

View solution in original post

0 Karma

bmacias84
Champion

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge.

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.

Cheers I hope this helps

0 Karma

tmarlette
Motivator

Thank you! I knew about this way, but unfortunately I need to limit it by index. =( I didn't think there was a way, but I just wanted to throw it out there and see if I was missing something.

Thank you so much!

0 Karma

seandevo
Explorer

I believe field extractions have an absolute requirement of selecting a certain sourcetype for performing these extractions. One reason why I could think a global extraction (even if limited to a single index) would be problematic is unnecessary load on Spunk scanning through copious amounts of events to find out that there was no regex match.

I assume that you have events from multiple events from different sourcetypes that you want the same field extraction to be applied to?

-Sean

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...