topic Re: Field extraction on all inputs in Splunk Search

Field extraction on all inputs

Jordan_Brough — Wed, 30 May 2012 20:55:03 GMT

Is it possible to apply a search-time field extraction to all inputs?

Our log files (across multiple hosts, sources & sourcetypes) are named like: /some/path/[app].XX.log (where XX is a number). Basically we have one logfile per running process.

I would like to automatically extract a field like: source_combined=/some/path/[app]

Here is my transforms.conf:

[source_combined]
CLEAN_KEYS = 1
FORMAT = 
MV_ADD = 0
REGEX = ^(?<source_combined>.*?)(\.\d+)?(\.log)?$
SOURCE_KEY = source

Here is my props.conf that doesn't work:

[*]
REPORT-source_combined = source_combined

This props.conf does work:

[rails]
REPORT-source_combined = source_combined

but only provides the field to the "rails" sourcetype. I want it to apply to all sourcetypes. Is there any way to get my extraction to apply to all sourcetypes rather than just one sourcetype? Is there another way of getting what I want?

Re: Field extraction on all inputs

sdaniels — Wed, 30 May 2012 22:56:49 GMT

Does this work for your props.conf stanza.

[(?::){0}*]
REPORT-source_combined = source_combined

I was just looking at this. http://splunk-base.splunk.com/answers/24274/can-you-have-a-wildcard-in-a-propsconf-stanza-header-when-matching-sourcetypes

Re: Field extraction on all inputs

Jordan_Brough — Wed, 30 May 2012 23:59:19 GMT

It does indeed! Thank you very much!

Re: Field extraction on all inputs

gkanapathy — Thu, 31 May 2012 05:46:28 GMT

It's not really any different, but you could also have just used either

[source::*]

[host::*]