Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add new fields to certain events via _meta?

florianhh
Explorer
‎07-14-2022 05:42 AM

Hi Splunkers,

I try to get a new internal field "_application" added to certain events.

So i added a new field via the _meta to the inputs.conf on the forwarder.

 

 

[script:///opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/df_metric.sh]
sourcetype = df_metric
source = df
interval = 300
disabled = 0
index = server_nixeventlog
_meta = _application::<application_name>

 

 

I also added a new stanza to the fields.conf

 

 

[_application]
INDEXED = false
#* Set to "true" if the field is created at index time.
#* Set to "false" for fields extracted at search time. This accounts for the
#  majority of fields.
  
INDEXED_VALUE = false
#* Set to "true" if the value is in the raw text of the event.
#* Set to "false" if the value is not in the raw text of the event#.

 

 

The fields.conf is deployed to indexer and SH.

But i still do not see the event.

I tried searching for

"_application::<application_name>"

"_application=<application_name>"

_application::*

_application=*

Nothing.... 

Can somebody explain to me where is the Problem?

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2022 06:25 AM

If you want to have a metadata field "external" to the event itself you must create an indexed field since the field value is not in any way contained within the event itself.

But your INDEXED=false setting says that splunk shouldn't treat the field as indexed.

Another question is whether you really do need the external field. Isn't the information contained within the event itself? There are use cases when indexed fields can be useful but they are rare and quite often indexed fields are a wrong way of resolving you problem 😉

0 Karma
Reply

florianhh
Explorer
‎07-14-2022 07:41 AM

Hi PickleRick,

thanks for replaying so quick.

yeah i do not want it to be a indextime field. 

No the information unfortunately is not statically in the event itself.

I now found out that Splunk Permits unsinnig leading underscore fields so i think i found a dead end here and have to finde another solution.  

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-14-2022 09:37 AM

If you can devise your application field from other field(s) - for example some set of host values corresponds with application A and other set is app B, you could try using lookups or eventtypes to calculate it in search-time.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...