topic Re: Adding host attributes (fields?) at index time in Splunk Search

Adding host attributes (fields?) at index time

kbutlerhc1 — Wed, 04 Mar 2015 16:24:24 GMT

New to splunk, so bear with me.

As I'm setting it up in our environment, we are forwarding logs from multiple "environments" (think prod, qa, stage, etc). What I would like to do is at the host level, define what environment it comes from so that searches are easily filterable. env="prod" for example

According to this article, it seems "not recommended" to do what I want to do. http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configureindex-timefieldextraction

Am I looking in the right place? What's the proper way to do this?

Re: Adding host attributes (fields?) at index time

gfuente — Wed, 04 Mar 2015 16:34:50 GMT

The proper way to do this is by using tags

And set up them accordingly, for example

host=dev1 tag -> DEV

This way you can change it any time, as this is appliedon search time

Regards

Re: Adding host attributes (fields?) at index time

kbutlerhc1 — Wed, 04 Mar 2015 17:24:20 GMT

Can this be done in a configuration file on the host itself? I'd like to configure all of this through Ansible in our splunk role. Similar to the inputs.conf.