All Apps and Add-ons

How can I add static field/value to the DEFAULT_VALUE specified in transforms.conf that is searchable?

fr00z
Loves-to-Learn Lots

I have adding a custom field/value to a log event within splunk @index time. This also includes a DEFAULT_VALUE if the match fails. Here are examples of my config:

tranforms.conf 

 

[app_name]
REGEX = \"app_name\":\".+?(\w+)-(\w)-.+?\"
FORMAT = app::$1$2
DEFAULT_VALUE = app::"not_specified"
WRITE_META = true

 

fields.conf

 

[app]
INDEXED=true

 

Everything works except the default value is not searchable. Under interesting fields in the splunk UI I can see app -> "not_specified" as a value with an event count, however when I click on it, or add it to a search, 0 results are returned. The non-default values return back ok, and are searchable, just the static default value is not. Any help is much appreciated.

Labels (1)
0 Karma