I read in the Knowledge Manager Manual "All extraction configurations in props.conf are restricted by a specific source, sourcetype, or host. Start by identifying the sourcetype, source, or host that provide the events from which you would like your field to be extracted."
Is there any way around the restrictions? Will there be in future versions?
EDIT-- I'm looking at implementing checks on our hosts to ensure their log activity is in a normal range. So I'm going to add a field from a static lookup table that has the average number of logs per day per host in it. I need this field to exist for all hosts and all sourcetypes.
What restrictions are you trying to bypass? Usually, when you specify extractions you want to keep that within groups, i.e. extractions for WinEventLog is not going to be the same as extractions for a Cisco PIX log. Also, for similar values, i.e. IP Address, MAC address, you can create a stanza in the transforms.conf and then reference that from the props.conf.
This isn't so much a "restriction" that prevents you from doing anything as a "scope" that keeps you from asking Splunk to do more than it should. It is certainly possible to set rules that apply to all data regardless of host, source, or sourcetype (either by setting a default, or a wildcard on host or source). But there are very few reasons to do this, and many reasons not to. Perhaps it would help if you explained what you are trying to do and clarify why you think you want to do this.
If you really need an extraction to apply to all data, you can use stanza such as
However, I'm baffled why you want to implement the log volume as a lookup, wouldn't this be a search? For example:
splunk> index=_internal | source=*metrics.log per_host_thruput | stats sum(kb) by host
I've got it as a lookup because the data is already calculated and stored in a table elsewhere, so as long as the lookup works, there's no reason to recalculate the volume.
I guess my suspicion is you want this data to exist indexed by time per day, as something like a summary index, although it may be numbers you've computed externally simply fed into a sparse index.