Splunk Search

field extraction based on index

sbsbb
Builder

I have two different indexes, with multiple sources, say source1, source2

How can I define a different Extraction per Index

Index1 SourceA Transform1A
Index2 SourceA Transform2A

I could only specify the source by extractions....

1 Solution

datasearchninja
Communicator

Are you sure you are defining the data correctly? If the SourceA data requires different extractions depending on index, then isn't it going to be a different sourcetype?

If the event data is different, then you could just specify both extractions, and each would only work on the data it matched. IN this case however because the data is different, different sourcetypes should be set.

If the event data really is the same, then you could do this using eval, to create a field that combines index and raw, and then do the extractions from the new field.

props.conf:

EVAL-indexplusraw = index . "-" . _raw
EXTRACT-field1 = index1-(<REGEX>) in indexplusraw
EXTRACT-field2 = index2-(<REGEX>) in indexplusraw

View solution in original post

0 Karma

datasearchninja
Communicator

Are you sure you are defining the data correctly? If the SourceA data requires different extractions depending on index, then isn't it going to be a different sourcetype?

If the event data is different, then you could just specify both extractions, and each would only work on the data it matched. IN this case however because the data is different, different sourcetypes should be set.

If the event data really is the same, then you could do this using eval, to create a field that combines index and raw, and then do the extractions from the new field.

props.conf:

EVAL-indexplusraw = index . "-" . _raw
EXTRACT-field1 = index1-(<REGEX>) in indexplusraw
EXTRACT-field2 = index2-(<REGEX>) in indexplusraw
0 Karma

Ayn
Legend

I believe you cannot specify extractions based on index. You're talking about index and source - what about sourcetype?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...