topic Re: Add an alternative name as an extra index identifier in Knowledge Management

Add an alternative name as an extra index identifier

elof — Wed, 19 Feb 2014 17:53:28 GMT

In splunk I have a bunch of indexes:

customer01

customer02

customer03

...

Outside of splunk (in real life), each customer has a codename:

customer01 = "alfa"

customer02 = "beta"

customer03 = "gamma"

...

What I'm asking for:

In the left column in Splunk Search I see my usual selected fields; "host", "index", "source", "sourcetype", etc.

Here I want to add the field "codename".

By clicking on "index" I see a list of all indexes ("customer01", "customer02", etc).

Simillarly, I would like to be able to click on "codename" and see list of all codenames ("alfa", "beta", etc) to easily filter out a specific customer without having to know its customer number.

(some of my users searching through all non-internal indexes don't know which customer has what number, but they know the customer's codename)

So is there any way to statically add an anternative name to all incoming data (from my universal forwarders)?

All events logged to to index "customer01" should be tagged with "alfa", everything to index "customer02" with "beta", and so on.

If this tagging/aliasing/whatever is possible to do, I would like to do it in the universal forwarder. If that is not possible I can do it on the indexer.

...resulting in events looking someting like this:

ntpd[945]: synchronized to 10.10.10.10, stratum 2

host=foo  index=customer02  source=/var/log/foo  sourcetype=bar  codename=beta

PS: Using lookup-tables seem a bit excessive for this. I simply want to add a static string into the data the easiest way.

How?

Re: Add an alternative name as an extra index identifier

somesoni2 — Wed, 19 Feb 2014 18:53:17 GMT

I don't think so this is possible (creating alias at index level). (http://answers.splunk.com/answers/42071/any-way-to-create-an-alternate-name-or-alias-for-an-index)

Other cumbersome option will be to configure field alias/automatic lookup at sourcetype level.

Re: Add an alternative name as an extra index identifier

martin_mueller — Wed, 19 Feb 2014 19:35:52 GMT

You can tag your indexes with your codenames, and view them in the field sidebar under tag::index.

Re: Add an alternative name as an extra index identifier

elof — Wed, 19 Feb 2014 20:10:32 GMT

I'm reading the tagging docs but don't fully understand how to do it. 😕

Could I have an example of such a stanza, and in which file it goes?

Re: Add an alternative name as an extra index identifier

martin_mueller — Wed, 19 Feb 2014 20:16:47 GMT

It's probably easiest to go through the Splunk web interface. Search for index=customer01, expand an event (black triangle to its left), look for the field index, click actions for that field (blue triangle to its right), click tag, enter "alfa" (no quotes) in the box, done.

That's for Splunk 6, previous versions do the same thing but the steps to get there are a bit different.

Re: Add an alternative name as an extra index identifier

martin_mueller — Wed, 19 Feb 2014 20:19:04 GMT

Here's an example for tags.conf:

[index=_internal]
foo = enabled

That will add a tag called foo for the index _internal.

Re: Add an alternative name as an extra index identifier

elof — Wed, 19 Feb 2014 21:13:39 GMT

Worked like a charm! Thanks!

Re: Add an alternative name as an extra index identifier

elof — Thu, 20 Feb 2014 09:26:20 GMT

Whee! Splunk made it even better than my example above. 🙂
It placed my index-tag "beta" right next to the index-name, making everything very intuitive. Great stuff.

ntpd[945]: synchronized to 10.10.10.10, stratum 2
host=foo  index=customer02 beta  source=/var/log/foo  sourcetype=bar

Re: Add an alternative name as an extra index identifier

martin_mueller — Thu, 20 Feb 2014 10:08:38 GMT

Splunk - exceeding expectations where you didn't expect it to 😄