https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183162#M52740 <P>You can include <CODE>index=foo</CODE> in your inputs.conf file, but not props.conf.</P> Mon, 24 Aug 2015 12:43:06 GMT richgalloway 2015-08-24T12:43:06Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183157#M52735 <P>Hi,</P> <P>In my inputs.conf I have a number of monitors. I would like to create a custom field called logtypevalue with values based of the monitors. For example, if the monitor is:</P> <P>[monitor://D:\logs\logfiles\tomcat*.log]</P> <P>I want the value of logtypevalue set to abcde.</P> <P>If the monitor is:</P> <P>[monitor://D:\logs\logfiles\apache*.log]</P> <P>I want the value of logtypevalue set to testing.</P> <P>Basically the values of logtypevalue can't be extracted from the monitor so I am not sure how I can do this.</P> <P>Any help will be greatly appreciated.</P> <P>Thanks.</P> <P>Jackie</P> Fri, 21 Aug 2015 16:39:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183157#M52735 jackiewkc 2015-08-21T16:39:58Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183158#M52736 <P>I don't know you can do that in inputs.conf, but it's possible in props.conf. In the appropriate stanza for each input's sourcetype add</P> <PRE><CODE>EVAL-logtypevalue = "abcde" </CODE></PRE> <P>or</P> <PRE><CODE>EVAL-logtypevalue = "testing" </CODE></PRE> Fri, 21 Aug 2015 17:21:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183158#M52736 richgalloway 2015-08-21T17:21:30Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183159#M52737 <P>You can hard-code each <CODE>monitor</CODE> inside <CODE>inputs.conf</CODE> with a unique sourcetype such as <CODE>STunique1</CODE>, <CODE>STunique2</CODE>, etc.<BR /> Then inside <CODE>props.conf</CODE> you do like @richgalloway said and use <CODE>EVAL-logtypevalue="testing"</CODE> or whatever, for each unique <CODE>sourcetype</CODE> but you also rename the sourcetype here with <CODE>rename = "STcommon"</CODE> so that in the end, each one goes back to sharing the same sourcetype but with unique values for <CODE>logtypevalue</CODE>!</P> Fri, 21 Aug 2015 23:19:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183159#M52737 woodcock 2015-08-21T23:19:51Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183160#M52738 <P>Thanks a lot. I managed to do it based on your suggestion.</P> <P>In props.conf, I have this setting:</P> <P>[source::D:\\abc\\testing*.log]<BR /> EVAL-log_type = "testing-logs"</P> <P>[source::D:\\def\\reporting*.log]<BR /> EVAL-log_type = "reporting-logs"</P> <P>Now my question is that is it possible to specify the index in the above settings as well?</P> <P>It may happen that logs with the same paths coming from different servers for different indexes will match the paths above. I only want those that match the paths above and for a particular index to have log_type configured.</P> <P>Is this possible?</P> <P>Thanks.</P> Mon, 24 Aug 2015 12:36:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183160#M52738 jackiewkc 2015-08-24T12:36:05Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183161#M52739 <P>Thanks a lot. I managed to do it based on your suggestion.</P> <P>In props.conf, I have this setting:</P> <P>[source::D:\abc\testing*.log]<BR /> EVAL-log_type = "testing-logs"</P> <P>[source::D:\def\reporting*.log]<BR /> EVAL-log_type = "reporting-logs"</P> <P>Now my question is that is it possible to specify the index in the above settings as well?</P> <P>It may happen that logs with the same paths coming from different servers for different indexes will match the paths above. I only want those that match the paths above and for a particular index to have log_type configured.</P> <P>Is this possible?</P> <P>Thanks.</P> Mon, 24 Aug 2015 12:40:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183161#M52739 jackiewkc 2015-08-24T12:40:11Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183162#M52740 <P>You can include <CODE>index=foo</CODE> in your inputs.conf file, but not props.conf.</P> Mon, 24 Aug 2015 12:43:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183162#M52740 richgalloway 2015-08-24T12:43:06Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183163#M52741 <P>See my alternative answer. It will allow you to take into effect the <CODE>index</CODE> value by doing this based on <CODE>sourcetype</CODE> rather than by <CODE>source</CODE> (eliminating your problem entirely).</P> Mon, 24 Aug 2015 17:12:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183163#M52741 woodcock 2015-08-24T17:12:52Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183164#M52742 <P>Thanks for the reply, but the problem we have is that we use sourcetype for something else (linebreak). Therefore in our inputs.conf, there are multiple monitors with the same sourcetype which can't be changed. This means the only thing we can use to distinguish between different sources (i.e. monitors) is the source itself.</P> <P>Now I have updated props.conf with the settings in my reply above, and it works fine. There should not be another monitor with the exact same path but for a different index cos that would not be right, but I am just thinking out loud here whether it is possible to include the index in the configs above. Something like if the source is D:\def\reporting*.log and it is for the index "abc" then do the EVAL-log_type part.</P> <P>Thanks.</P> Tue, 25 Aug 2015 08:17:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183164#M52742 jackiewkc 2015-08-25T08:17:43Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183165#M52743 <P>Not possible.</P> Tue, 25 Aug 2015 13:56:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183165#M52743 woodcock 2015-08-25T13:56:07Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183166#M52744 <P>ok, thanks for getting back to me.</P> Tue, 25 Aug 2015 14:57:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-custom-field-with-values-based-on-the-monitors/m-p/183166#M52744 jackiewkc 2015-08-25T14:57:14Z