topic How do I add a dynamic field to an inputs.conf file? in Getting Data In

How do I add a dynamic field to an inputs.conf file?

arlington — Tue, 12 Feb 2019 18:18:41 GMT

I have logs which are monitored by a Splunk forwarder, but what I want to do is add dynamic fields to an event, which will be generated as a result of any script or command (for example with curl).

I know one way, with scripted input, is to create a script that reads logs and parallel add any value to the result.

Do we have another more elegant way of doing this? I searched but I couldn't find anything.

Re: How do I add a dynamic field to an inputs.conf file?

chrisyounger — Tue, 12 Feb 2019 19:11:17 GMT

Hi @arlington

The most elegant way to enrich events is to have a script that populates a CSV which is then used as an automatic lookup. A good example is the identity and asset lookups in Enterprise Security that work like this. They are very performant even for huge lookups.

If you want to enrich an event and your absolutly can't pre-compute the data, then use a script (external) lookup https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Configureexternallookups or a custom command: https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Writeasearchcommand

All the best.

Re: How do I add a dynamic field to an inputs.conf file?

arlington — Wed, 13 Feb 2019 09:02:22 GMT

Actually what I am trying to do is add Instance ID or any TAG from EC2 instance to my apps event. But still I can't find a proper solution how to do that. Using host field is not reliable to match in lookup, because if instance going to be destroyed it's ip and host name release and will be assigned to newly created instance in future. As Instance ID is unique across whole AWS environmet I would like to use that. But in order to do that need add instance id to all events which I am forwarding with splunkforwarder. Instance ID are accessible with the curl command inside current running instance. Any idea on that?