How to add a 'static' field to all events from a s...

p1rate5s · ‎01-14-2015

I have a distributed Splunk installation with two sites and indexer replication between the two sites such that all data is searchable at both sites. I need to be able to distinguish which site the data came from initially (the original sources) and do not see anywhere where the 'site' designation in the cluster configuration is present in the events. How would I add a static field with the value of the site? I am thinking about a custom field with static values at index time that say 'site1' on the indexers at site1 and 'site2' on the indexers at site2. Has anyone done anything like this? The examples I have see are all based on data by source or host so I am a little unsure of how it would look. Any help is appreciated.

trsavela · ‎01-14-2015

There should be field called 'splunk_server', but don't think that helps with your situation.

You can process data at index time with a transform, there is more info here: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configureindex-timefieldextraction

How to add a 'static' field to all events from a site to track data's original sources in a multisite index clustering environment?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7