https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315672#M94488 <P>I have two applications, these can exist in preprod or live environments. I want to have a field on logs from both applications called "environment", which is set to LIVE if it is in the live environment.</P> <P>Using field extractions I am able to extract whether a URI is from a live or preprod server for <STRONG>Application A</STRONG> by extracting LIVE when it appears in the URI and putting it into a field. This is easy as LIVE URIs include the string LIVE.</P> <P><EM>regex to match start of URI</EM>... <STRONG>(?P(?i)(LIVE))</STRONG></P> <P>For <STRONG>Application B</STRONG> it is different, PREPROD URIs are marked PREPROD, and LIVE versions are unmarked. However, for consistency between applications, I'd like to put a live field on to the live URIs. As there is no longer a 'LIVE' string to extract from the live URIs (live URIs for this app are shown by a lack of PREPROD), I'm not sure how to do this with a regex field extraction. I need to basically detect logs which do not contain preprod, and create a new field on them, named environment, populated with the value 'live'.</P> Fri, 07 Apr 2017 15:16:39 GMT JpAnderson_2 2017-04-07T15:16:39Z https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315672#M94488 <P>I have two applications, these can exist in preprod or live environments. I want to have a field on logs from both applications called "environment", which is set to LIVE if it is in the live environment.</P> <P>Using field extractions I am able to extract whether a URI is from a live or preprod server for <STRONG>Application A</STRONG> by extracting LIVE when it appears in the URI and putting it into a field. This is easy as LIVE URIs include the string LIVE.</P> <P><EM>regex to match start of URI</EM>... <STRONG>(?P(?i)(LIVE))</STRONG></P> <P>For <STRONG>Application B</STRONG> it is different, PREPROD URIs are marked PREPROD, and LIVE versions are unmarked. However, for consistency between applications, I'd like to put a live field on to the live URIs. As there is no longer a 'LIVE' string to extract from the live URIs (live URIs for this app are shown by a lack of PREPROD), I'm not sure how to do this with a regex field extraction. I need to basically detect logs which do not contain preprod, and create a new field on them, named environment, populated with the value 'live'.</P> Fri, 07 Apr 2017 15:16:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315672#M94488 JpAnderson_2 2017-04-07T15:16:39Z https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315673#M94489 <P>How are you distinguishing between log records that come from one application and those that come from the other? Do they have different sourcetypes, or another major distinguishing characteristic at index time?</P> Fri, 07 Apr 2017 15:42:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315673#M94489 DalJeanis 2017-04-07T15:42:11Z https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315674#M94490 <P>There is another field for app_name extracted in a series of separate field extractions. It is extracted from the URI in an IIS log.</P> Fri, 07 Apr 2017 15:45:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315674#M94490 JpAnderson_2 2017-04-07T15:45:12Z https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315675#M94491 <P>Okay, it can be done. Extractions are not really designed to be "programmed", but you can usually make it happen. </P> <P>There may be a more elegant way, but as long as you can get the rules to operate in this exact order, then here's some pseudocode on how you can do it, in four rules. </P> <P>1) extract the appname<BR /> 2) if appname matches app A, set environment to PREPROD<BR /> 3) if appname matches app B, set environment to LIVE<BR /> 4) if URI contains LIVE or PREPROD, set environment to that value</P> Fri, 07 Apr 2017 16:11:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315675#M94491 DalJeanis 2017-04-07T16:11:04Z https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315676#M94492 <P>Thanks for the answer. Is this all done with field extractions? For example how would I do step 1, set environment in the same extraction which sets the app name?</P> Tue, 11 Apr 2017 10:24:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-assign-fields-to-event-logs-which-do-not-contain-target/m-p/315676#M94492 JpAnderson_2 2017-04-11T10:24:25Z