All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do add a field to each indexed event with a value from the source file header?

derekwalsh_1
Explorer
‎07-24-2014 05:22 PM

Hi Guys,

I tried to figure this out from the documentation on index-time field extractions but couldn't see an obvious way of doing what I need. I am indexing a file that contains a header section that is 1-line and is the first line in the file. That line tells me the version of software that generated the log file. The header looks like this:

2014/07/24 14:00:02.438 0 GeneralLogHeader Version 1.8 (April 23, 2014), System ID=Beta_1

And then on the lines following the header I have the actual events. I would like to add a field to each event that contains the software version value. Then for example I could search for all events that were generated by a particular software version. E.g.

search SoftwareVersion="1.8"

or say,

[search criteria] | stats count BY SoftwareVersion

This way I can map events/results to a specific software version. Is there a way to extract this data and add it as a field to each event?

Reply

strive
Influencer
‎07-24-2014 09:30 PM

Try this

transforms.conf 

[include_version]  
REGEX = (?i)^(?:[^ ]*( {1,2})){5}(\d+\.\d+)  
FORMAT=Software_Version::$1  
WRITE_META = true

props.conf

[<Your stanza name>]
TRANSFORMS-include = include_version

fields.conf

[Software_Version]
INDEXED=true

I am not good at writing regex. You may have to check it once.

Reply

strive
Influencer
‎07-30-2014 12:44 AM

OOPS i missed that.
What is the naming convention followed for your log files? logfile_

Reply

Kawtar
Path Finder
‎09-24-2018 03:46 AM

there is a way to do this plz ?

0 Karma
Reply

derekwalsh_1
Explorer
‎07-28-2014 04:54 PM

it's almost like I need a lookup table, the key being a file name and the value being the software version. So that I can discriminate events based on their source file and consequently, software version.

0 Karma
Reply

derekwalsh_1
Explorer
‎07-28-2014 04:49 PM

Thanks for trying. But this will only add the field to an event that matches the regular expression (which is fine btw). I want to add the field for every event that is indexed in that file. To put it another way:

The first line in the file is a header event and I want to put information from that first line into each subsequent event in that file. Similar to how the file name gets added to each event.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...