Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

add dynamic field in splunk

chandansingh
Explorer
‎03-03-2011 11:05 AM

Hi everyone , i would like to add a field in splunk.but field value does not come in result.

here my source are:- 1. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest1\host_name\afkcd01_KLZ_Disk_110208.csv 2. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest2\host_name\afkcd01_KLZ_Disk_110208.csv C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest3\host_name\afkcd01_KLZ_Disk_110208.csv

i want add field with name guest, as above sources there are diffirent diffirent guest like guest1, guest2 and guest. so i would like serch result based on guest field like:- index = "tougou" guest="guest1" index = "tougou" guest="guest2" as we know source always come in result. but i dont know how to add field guest in splunk. please help me to resolve this problem. thanx in advnce.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎03-03-2011 02:26 PM

If I understand your question correctly, you want to extract a field from the "source" metadata associated with the event. (That is, not from the "_raw" event text.) As far as I know, the only way to do that is to create an indexed field. There are a number of caveats that go along with creating indexed fields - I would recommend discussing your exact scenario and its performance and other implications with Splunk support. That said, we use this as a basic formula for pulling indexed fields from "source":

(props.conf)
[tougou]
TRANSFORMS-guest=togou_guest

(transforms.conf)
[togou_guest]
SOURCE_KEY=MetaData:Source
REGEX=ntt_tougou\\tougou_logs\\([^\\]+)\\
FORMAT=guest::$1
WRITE_META=true

(I am a little unsure on the backslashes and how many are needed in the regex example. My day job is not Windows)

Docs related to this are at: http://www.splunk.com/base/Documentation/latest/Admin/Configureindex-timefieldextraction

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...