Can I add the various Data Input Parameters as fie...

cbarrett_splunk · ‎05-21-2017

I'm building a TA using the Add-On Builder and I've defined a few "Data Input Parameters" that need to be defined when the Input is added such as the device's IP address {dvc} , a boolean variable indicating if the device is at a fixed location (in terms of latitude and longitude) or mobile) {is_fixed_location}, and a few other optional fields. I'd like to include these fields at index time with any events created by any inputs that use my TA.

I've read the "Create custom fields at index time" Docs page (http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction), and I can add fields with hardcoded values to the events, but how can I add the values of the various Data Input Parameters to the events? I can see the fields defined within inputs.conf but how can I reference these in a way that allows me to add them to the events at index time?

inputs.conf
[timenet_pro://test]
index = default
sourcetype = timenetpro:status
disabled = 0
site_org_name = TEST
dvc = 10.10.10.10
is_fixed_location = True
nearby_addresses = 10.10.10.0/24,10.10.20.0/24

woodcock · ‎05-22-2017

Each index-time field must be composted of a contiguous series of bytes found inside the raw event (i.e. a vector composed of an initial offset, plus a length). I believe you are talking about adding index-time fields with values that are not in the raw event data which is impossible. The only way to do it is to first ADD these strings into each raw event before it hits splunk (or at the beginning of the event parser using SEDCMD).

Can I add the various Data Input Parameters as fields to events at index time?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...