https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485876#M83179 <P>No. The <CODE>:=</CODE> syntax says <CODE>overwrite</CODE>; the <CODE>=</CODE> syntax says <CODE>append</CODE>.</P> Mon, 14 Oct 2019 16:01:00 GMT woodcock 2019-10-14T16:01:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485871#M83174 <P>Hi All,<BR /> Thanks upfront for your time.</P> <P>I have a task that I am trying to create 2 fields for any sourcetype that visits my Heavy Forwarders on the way to my indexer cluster.<BR /> I had created following props.conf at HF to assign values as below and failed :</P> <PRE><CODE>[mycustomlogg] EVAL-HF_LVL1_NAME = myservername EVAL-HF_LVL1_TIME = now() </CODE></PRE> <P>This might be good question for any admin who wants to have more detail on data travel times within Splunk environment even though it might be prone to lesser performance if succeeded. </P> <P>Are there anybody who had achieved similar in the past ? I believe I should be able to assign HF_LVL1_NAME with transforms.conf. However, still have no clue for now() function within conf files. </P> Wed, 30 Sep 2020 02:15:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485871#M83174 akocak 2020-09-30T02:15:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485872#M83175 <P>Hi,</P> <P>Have a look at <CODE>INGEST_EVAL</CODE> parameter in transforms.conf. Ref. doc <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/IngestEval">https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/IngestEval</A></P> Wed, 25 Sep 2019 09:02:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485872#M83175 harsmarvania57 2019-09-25T09:02:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485873#M83176 <P>Hi, Thanks for the answer</P> <P>I had enabled ingest-eval as in the examples of documentation from my Heavy Forwarder. It still didn't take my custom fields, this is my configuration:<BR /> props.conf</P> <PRE><CODE>[mycustomlogg] DATETIME_CONFIG = NO_BINARY_CHECK = true TRANSFORMS-abc = myevalforhfname,myevalforhfname2 category = Custom disabled = false </CODE></PRE> <P>transforms: (has both testing)<BR /> [myevalforhfname]<BR /> INGEST_EVAL = HFLVL1NAME="myservername"</P> <P>[myevalforhfname2]<BR /> INGEST_EVAL = HFLVL1NAME2=lower("myservername")</P> <P>fields.conf<BR /> [HFLVL1NAME]<BR /> INDEXED = True</P> <PRE><CODE>[HFLVL1NAME2] INDEXED = True </CODE></PRE> Fri, 11 Oct 2019 18:13:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485873#M83176 akocak 2019-10-11T18:13:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485874#M83177 <P>There is a RegEx-injection attack that you can use to match all sourcetypes, like this:</P> <PRE><CODE>In props.conf: [(?::){0}*] TRANSFORMS-arbitrary_string_here = myevalforhfname In transforms.conf: [myevalforhfname] INGEST_EVAL = HFLVL1NAME:="Your hardcoded string value here" In fields.conf: [HFLVL1NAME] INDEXED = True </CODE></PRE> Sun, 13 Oct 2019 00:12:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485874#M83177 woodcock 2019-10-13T00:12:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485875#M83178 <P>is this syntax error ? ( := )</P> <PRE><CODE>INGEST_EVAL := </CODE></PRE> Mon, 14 Oct 2019 15:14:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485875#M83178 akocak 2019-10-14T15:14:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485876#M83179 <P>No. The <CODE>:=</CODE> syntax says <CODE>overwrite</CODE>; the <CODE>=</CODE> syntax says <CODE>append</CODE>.</P> Mon, 14 Oct 2019 16:01:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485876#M83179 woodcock 2019-10-14T16:01:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485877#M83180 <P>Still have no luck, my configuration doesn't work for some reason. </P> Mon, 14 Oct 2019 19:55:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485877#M83180 akocak 2019-10-14T19:55:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485878#M83181 <P>I would open a support case. Come back and let us know what ends up fixing it!</P> Mon, 14 Oct 2019 21:06:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485878#M83181 woodcock 2019-10-14T21:06:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485879#M83182 <P>Hi, I have the same need, could you resolve this part: EVAL-HF_LVL1_TIME = now() ?</P> <P>Thanks,</P> Wed, 30 Sep 2020 02:39:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485879#M83182 oangarita 2020-09-30T02:39:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485880#M83183 <P>If you are doing a sourcetype override/overwrite, you must use the <EM>ORIGINAL</EM> value, <EM>NOT</EM> the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using <CODE>_index_earliest=-5m</CODE> to be absolutely certain that you are only examining the newly indexed events.</P> Thu, 17 Oct 2019 13:55:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485880#M83183 woodcock 2019-10-17T13:55:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485881#M83184 <P>You are right, I had the <CODE>:=</CODE> in the wrong place. I fixed it. In any case this is what the docs say:</P> <PRE><CODE>* When writing to a _meta field, the default behavior is to add a new index-time field even if one exists with the same name, the same way WRITE_META works for regular-expression-based extractions. For example, "a=5, a=a+2" adds two index-time fields to _meta: "a::5 a::7". You can change this by using ":=" after the variable name. For example, setting "a=5, a:=a+2" causes Splunk software to add a single "a::7" field. * NOTE: Replacing index-time fields is slower than adding them. It is best to only use ":=" when you need this behavior. * The ":=" operator can also be used to remove existing fields in _meta by assigning the expression null() to them. </CODE></PRE> Fri, 24 Jan 2020 19:22:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485881#M83184 woodcock 2020-01-24T19:22:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485882#M83185 <P>Hi Woodcock, <BR /> Thanks for the great answer again. <BR /> Even though I couldn't find anything related , I assume my config is not working thanks to version 7.0.8. We had recently upgraded to 7.3 , However, I didn't have chance to work on this again. I will update here when implement. </P> Tue, 28 Jan 2020 19:42:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-custom-field-at-Heavy-Forwarder-for-all/m-p/485882#M83185 akocak 2020-01-28T19:42:22Z