topic Re: I missed a field in my custom sourcetype in Splunk Search

I missed a field in my custom sourcetype

riotto — Wed, 05 Oct 2016 18:52:16 GMT

I am trying to add a field that I missed on my custom sourcetype. If I add it to the transforms.conf, the data (event) stops getting indexed. My transforms is a simple delimited fields entry. Is there a way to add this field to the event after the missing it? Also, will
the indexer enter a second event that has the same host, source, sourcetype and event time (_time) ? ...a duplicate event ?

Re: I missed a field in my custom sourcetype

dmaislin_splunk — Wed, 05 Oct 2016 18:59:32 GMT

Need more detail. What does your inputs.conf, props.conf, and transforms.conf look like?

Re: I missed a field in my custom sourcetype

dmaislin_splunk — Wed, 05 Oct 2016 19:00:39 GMT

And maybe add a sample set of events to the post.

Re: I missed a field in my custom sourcetype

riotto — Tue, 29 Sep 2020 11:17:28 GMT

inputs.conf
[script://./bin/test.sh]
interval = 60
sourcetype = leveltest
source= leveltest
index = os
disabled = 0

props.conf:
[leveltest]
SHOULD_LINEMERGE = False
pulldown_type = 1
REPORT-level= LEVEL

transforms.conf:
[LEVEL]
DELIMS = ","
FIELDS =level1, level2, level3, level4, level5, level6, level7, level8 (..need to add level9)

Re: I missed a field in my custom sourcetype

riotto — Wed, 05 Oct 2016 19:17:02 GMT

The data is just integers for each field 202,109,497,3455,223,227,884,334,964 (...level9)