Solved: Field extraction on all inputs

Jordan_Brough · ‎05-30-2012

Is it possible to apply a search-time field extraction to all inputs?

Our log files (across multiple hosts, sources & sourcetypes) are named like: /some/path/[app].XX.log (where XX is a number). Basically we have one logfile per running process.

I would like to automatically extract a field like: source_combined=/some/path/[app]

Here is my transforms.conf:

[source_combined]
CLEAN_KEYS = 1
FORMAT = 
MV_ADD = 0
REGEX = ^(?<source_combined>.*?)(\.\d+)?(\.log)?$
SOURCE_KEY = source

Here is my props.conf that doesn't work:

[*]
REPORT-source_combined = source_combined

This props.conf does work:

[rails]
REPORT-source_combined = source_combined

but only provides the field to the "rails" sourcetype. I want it to apply to all sourcetypes. Is there any way to get my extraction to apply to all sourcetypes rather than just one sourcetype? Is there another way of getting what I want?

sdaniels · ‎05-30-2012

Does this work for your props.conf stanza.

[(?::){0}*]
REPORT-source_combined = source_combined

I was just looking at this. http://splunk-base.splunk.com/answers/24274/can-you-have-a-wildcard-in-a-propsconf-stanza-header-whe...

View solution in original post

sdaniels · ‎05-30-2012

Does this work for your props.conf stanza.

[(?::){0}*]
REPORT-source_combined = source_combined

I was just looking at this. http://splunk-base.splunk.com/answers/24274/can-you-have-a-wildcard-in-a-propsconf-stanza-header-whe...

gkanapathy · ‎05-30-2012

It's not really any different, but you could also have just used either

[source::*]

or

[host::*]

Jordan_Brough · ‎05-30-2012

It does indeed! Thank you very much!

Field extraction on all inputs

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification