<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: adding static field value using props transforms based on source in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/adding-static-field-value-using-props-transforms-based-on-source/m-p/58543#M11508</link>
    <description>&lt;P&gt;Thanks lguinn, i like option #3 the best, will go with lookups. Do i need to do any changes in props.conf such as &lt;BR /&gt;
EXTRACT-instance = testdrive_transform or call the lookup in props.conf?&lt;/P&gt;</description>
    <pubDate>Tue, 31 Jan 2012 07:04:19 GMT</pubDate>
    <dc:creator>sonicZ</dc:creator>
    <dc:date>2012-01-31T07:04:19Z</dc:date>
    <item>
      <title>adding static field value using props transforms based on source</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/adding-static-field-value-using-props-transforms-based-on-source/m-p/58541#M11506</link>
      <description>&lt;P&gt;Hey,&lt;/P&gt;

&lt;P&gt;I am looking to add a static field "instance=testdrive" to all results from a source input with td-idp-manager in the path.&lt;BR /&gt;
I was able to extract a value from the source like so, but would prefer to not have to extract the "td-idp-manager" path in source and just use the word "testdrive" instead. Not sure the syntax to use...&lt;/P&gt;

&lt;P&gt;What i am currently using:&lt;BR /&gt;
props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[source::.../td-idp-manager/*]
REPORT-instance = testdrive_transform
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[testdrive_transform]
SOURCE_KEY = source
REGEX = (?i)[\/A-Za-z]+\/(?&amp;lt;instance&amp;gt;td-idp-manager+)/.*
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;fields.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[instance]
INDEXED_VALUE = false
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 26 Jan 2012 19:03:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/adding-static-field-value-using-props-transforms-based-on-source/m-p/58541#M11506</guid>
      <dc:creator>sonicZ</dc:creator>
      <dc:date>2012-01-26T19:03:31Z</dc:date>
    </item>
    <item>
      <title>Re: adding static field value using props transforms based on source</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/adding-static-field-value-using-props-transforms-based-on-source/m-p/58542#M11507</link>
      <description>&lt;P&gt;There are several possibilities that I can think of -  choose your favorite:&lt;BR /&gt;&lt;BR /&gt;
&lt;STRONG&gt;&lt;EM&gt;1 - Add a field to each event&lt;/EM&gt;&lt;/STRONG&gt;&lt;BR /&gt;&lt;BR /&gt;
In props.conf  &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[source::.../td-idp-manager/*]
TRANSFORM = testdrive_transform
EXTRACT-tim1 = \sinstance:(?&amp;lt;instance&amp;gt;testdrive)$
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In transforms.conf  &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[testdrive_transform]
REGEX=(.*)
FORMAT=$1 instance:testdrive
DEST_KEY=raw
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;This will add the string " instance:testdrive" to each event, which is then extracted into the field. Now you can use &lt;CODE&gt;instance=testdrive&lt;/CODE&gt; in your searches.&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;2 - Use Tags&lt;/EM&gt;&lt;/STRONG&gt;&lt;BR /&gt;&lt;BR /&gt;
Delete the transform that you have now. Set up a tag named &lt;CODE&gt;testdrive&lt;/CODE&gt; that corresponds to  &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;source=*td-idp-manager*
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Then you can search by entering &lt;CODE&gt;tag=testdrive&lt;/CODE&gt; &lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;3 - Use Lookups&lt;/EM&gt;&lt;/STRONG&gt;&lt;BR /&gt;&lt;BR /&gt;
Keep your current transform, but change the name of the field extracted - make it &lt;CODE&gt;instance_raw&lt;/CODE&gt; instead. Then set up a lookup table with two columns:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;instance_raw,instance
td-idp-manager,testdrive
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Set this as an automatic lookup, and then you will have a field named instance with the value testdrive. So you will be able to search &lt;CODE&gt;instance=testdrive&lt;/CODE&gt;. If you have multiple values that you want to map, just add additional entries to the lookup table.&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;Summary&lt;/EM&gt;&lt;/STRONG&gt;&lt;BR /&gt;&lt;BR /&gt;
Option 1 adds a small amount of overhead at indexing time, and a few bytes to each event.&lt;BR /&gt;
Option 2 is all done at search time; this is the most simple option.&lt;BR /&gt;
Option 3 is the only one that uses your existing transform, but it then uses a lookup to map the values.&lt;/P&gt;</description>
      <pubDate>Sun, 29 Jan 2012 11:33:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/adding-static-field-value-using-props-transforms-based-on-source/m-p/58542#M11507</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2012-01-29T11:33:19Z</dc:date>
    </item>
    <item>
      <title>Re: adding static field value using props transforms based on source</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/adding-static-field-value-using-props-transforms-based-on-source/m-p/58543#M11508</link>
      <description>&lt;P&gt;Thanks lguinn, i like option #3 the best, will go with lookups. Do i need to do any changes in props.conf such as &lt;BR /&gt;
EXTRACT-instance = testdrive_transform or call the lookup in props.conf?&lt;/P&gt;</description>
      <pubDate>Tue, 31 Jan 2012 07:04:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/adding-static-field-value-using-props-transforms-based-on-source/m-p/58543#M11508</guid>
      <dc:creator>sonicZ</dc:creator>
      <dc:date>2012-01-31T07:04:19Z</dc:date>
    </item>
    <item>
      <title>Re: adding static field value using props transforms based on source</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/adding-static-field-value-using-props-transforms-based-on-source/m-p/58544#M11509</link>
      <description>&lt;P&gt;For option 3, keep your transform. Just change &lt;CODE&gt;&amp;lt;instance&amp;gt;&lt;/CODE&gt; to &lt;CODE&gt;&amp;lt;instance_raw&amp;gt;&lt;/CODE&gt; in your REGEX.&lt;/P&gt;

&lt;P&gt;You can create the lookup very easily from the Splunk Manager UI:&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Build a CSV file on your desktop that contains the data you need.  The first row MUST be a header; the column names will be the field names in your lookup.&lt;/LI&gt;
&lt;LI&gt;Go to &lt;STRONG&gt;Manager » Lookups&lt;/STRONG&gt; in the Splunk UI&lt;/LI&gt;
&lt;LI&gt;Add a new &lt;STRONG&gt;Lookup Table File&lt;/STRONG&gt;.  This is where you will upload the CSV file from your desktop into Splunk.&lt;/LI&gt;
&lt;LI&gt;Add a new &lt;STRONG&gt;Lookup Definition&lt;/STRONG&gt;.  This is where you tell Splunk that you want to do a file-based lookup, using your Lookup Table file from the previous step.&lt;/LI&gt;
&lt;LI&gt;Add a new &lt;STRONG&gt;Automatic Lookup&lt;/STRONG&gt;.  Here you tell Splunk how to use your Lookup Definition automatically, and tell it which fields to retrieve, etc.&lt;/LI&gt;
&lt;LI&gt;Be sure to set permissions on each of the items: the table, the definition, and the automatic lookup - if you want them to be used by others.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;Once the lookup is created, you can see that it adds additional entries to props.conf and transforms.conf. If you want to edit them directly, take a look at &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Addfieldsfromexternaldatasources#Set_up_a_fields_lookup_based_on_a_static_file"&gt;Setup a fields lookup based on a static file&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 31 Jan 2012 09:26:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/adding-static-field-value-using-props-transforms-based-on-source/m-p/58544#M11509</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2012-01-31T09:26:31Z</dc:date>
    </item>
  </channel>
</rss>

