Our deployed application services have a static deployment name of this format:
{service name}-{environment}-{the release name}
Example: service1-stage-release-1-0-1
Where the tokens I'm interested in are:
environment: "stage"
release_name: "release-1-0-1"
service1 is irrelevant here since its value is equal to the sourcetype for all events in this application so I can already filter by sourcetype=service1
My goal is for each event to be able to filter thusly:
sourcetype=service1 environment=stage release_name=release-1-0-1
This Deployment Name is currently held as a value in user-data (these are EC2 instances), though we could simply write it out to a splunk config file on first boot of these servers.
I've been reading the props.conf and transforms.conf docs but I have been unable to determine how to enable to functionality described above. Any pointers, links, and/or advice greatly appreciated.
thanks,
Sam
... View more