Solved: How to create a new field at index-time using a lo...

LewisWheeler · ‎05-10-2016

I have a challenge where I want to place a static field (at index-time, NOT search-time) onto events as they are indexed.

The value of this new field must be from a lookup, based upon data already in _raw.

Lets assume the REX we need to extract here the value to be looked up is:

Test Location:(?<valueToLookup>[0-9.])*

Can anyone help me with code samples on how to then use valueToLookup to create a new field called resolvedLookupAtIndex so it appears as a static field?

NB: I have a separate search head vs indexer environment.

teekayx · ‎10-12-2016

You probably may have found out by now but just in case .. Lookups cannot be done at index time but only at search time. Refer to this and this answers. If its still something you are pondering on, you can explain why it cannot be a search time lookup to discuss possible options.

View solution in original post

teekayx · ‎10-12-2016

You probably may have found out by now but just in case .. Lookups cannot be done at index time but only at search time. Refer to this and this answers. If its still something you are pondering on, you can explain why it cannot be a search time lookup to discuss possible options.

LewisWheeler · ‎10-12-2016

I did thanks, I spoke to someone at the last Splunk Live in London and confirmed this - thanks for adding an answer though.

How to create a new field at index-time using a lookup?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk