All Apps and Add-ons

Can I add the various Data Input Parameters as fields to events at index time?

cbarrett_splunk
Splunk Employee
Splunk Employee

I'm building a TA using the Add-On Builder and I've defined a few "Data Input Parameters" that need to be defined when the Input is added such as the device's IP address {dvc} , a boolean variable indicating if the device is at a fixed location (in terms of latitude and longitude) or mobile) {is_fixed_location}, and a few other optional fields. I'd like to include these fields at index time with any events created by any inputs that use my TA.

I've read the "Create custom fields at index time" Docs page (http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction), and I can add fields with hardcoded values to the events, but how can I add the values of the various Data Input Parameters to the events? I can see the fields defined within inputs.conf but how can I reference these in a way that allows me to add them to the events at index time?

inputs.conf
[timenet_pro://test]
index = default
sourcetype = timenetpro:status
disabled = 0
site_org_name = TEST
dvc = 10.10.10.10
is_fixed_location = True
nearby_addresses = 10.10.10.0/24,10.10.20.0/24

0 Karma

woodcock
Esteemed Legend

Each index-time field must be composted of a contiguous series of bytes found inside the raw event (i.e. a vector composed of an initial offset, plus a length). I believe you are talking about adding index-time fields with values that are not in the raw event data which is impossible. The only way to do it is to first ADD these strings into each raw event before it hits splunk (or at the beginning of the event parser using SEDCMD).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...