All Apps and Add-ons

Can I add the various Data Input Parameters as fields to events at index time?

cbarrett_splunk
Splunk Employee
Splunk Employee

I'm building a TA using the Add-On Builder and I've defined a few "Data Input Parameters" that need to be defined when the Input is added such as the device's IP address {dvc} , a boolean variable indicating if the device is at a fixed location (in terms of latitude and longitude) or mobile) {is_fixed_location}, and a few other optional fields. I'd like to include these fields at index time with any events created by any inputs that use my TA.

I've read the "Create custom fields at index time" Docs page (http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction), and I can add fields with hardcoded values to the events, but how can I add the values of the various Data Input Parameters to the events? I can see the fields defined within inputs.conf but how can I reference these in a way that allows me to add them to the events at index time?

inputs.conf
[timenet_pro://test]
index = default
sourcetype = timenetpro:status
disabled = 0
site_org_name = TEST
dvc = 10.10.10.10
is_fixed_location = True
nearby_addresses = 10.10.10.0/24,10.10.20.0/24

0 Karma

woodcock
Esteemed Legend

Each index-time field must be composted of a contiguous series of bytes found inside the raw event (i.e. a vector composed of an initial offset, plus a length). I believe you are talking about adding index-time fields with values that are not in the raw event data which is impossible. The only way to do it is to first ADD these strings into each raw event before it hits splunk (or at the beginning of the event parser using SEDCMD).

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!