I am trying to find out how to create a custom field that will be available as an index field that I can set as a static value by source type in the prop.conf so that it will be available at search time via the UI . For example:
[source::/temp/weblogic.log]
sourcetype=weblogic-log
EXTRACT-appcomp = "weblogic"
EXTRACT-apptier = "application"
EXTRACT-appname = "e-commerce"
This does not seem to be working and I was hoping you could provide some guidance.
Thanks
Use Calculated Fields:
[source::/temp/weblogic.log]
sourcetype=weblogic-log
EVAL-appcomp = "weblogic"
EVAL-apptier = "application"
EVAL-appname = "e-commerce"
This helped a ton thanks! great for search time extractions.
Use a TRANSFORMS in props.conf that will call the name of the transformation,
and in transforms.conf, you specify the regex and the value. (it can be a regex always matching)
see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
and http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf
Is there not a simpler way? It seems to me that if i use the TRANSFORM option then I will have to create a separate TRANSFORM stanza for each of the follow...
app-name::website
app-comp::weblogic
app-domain::commerce
app-tier::application
I need to add these for numerous instances, apps, components, domains tiers, etc. Creating the TRANSFORM stanzas for each will take a considerable effort. I effectively want the to be applied to any log we capture with the values set by source.