Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add custom filed to input.config,Hoe to add custom field to input.config

moradato
Engager
‎10-30-2018 12:27 PM

Hello

I have 3 servers (one for each env) , each of the server forward data to the same index. I want to create a search that filter event according to the custom field that in this case represents the environment (prod/test/dev). I found in the documentation that I can override host, source and sourcetype, but I do not want to override, I want to add new information.

Appreciate your answers,
Thanks,Hi all

I am trying to add a custom field to the forwarder and the field need to be searchable. I found that I can only override host, index source and sourcetype and I don't want to override them
My motivation is that I have data from 3 environments (i.e. 3 different forwarders) going to the same index, I want to create a search using the custom field to filter event according to the environment

How can I add a custom field to input.config?

Appreciate your answers
Thanks

0 Karma
Reply

renjith_nair
Legend
‎10-31-2018 05:20 AM

@moradato, if you have three different servers sending data, then by searching with host= should be enough for you to filter the environment. Is there any specific reason you want to have a different field? If you are looking for readability, then create a field in search using eval env=case(host="your dev machine","dev",....etc)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...