Re: Adding a field

timmy13 · ‎05-17-2012

I have about 30 Univ. forwarders on servers dedicated to clientX. I am currently sending the data to a specific index called clientX via props and transforms. The servers reside in different environments (dev, qa, prod, etc.).

I'd like to add a field at index time to indicate which environment the server belongs to, in order to have the ability to query just that environment (i.e. 'index=clientX env=qa')

Here is a sample of my current configs:

props.conf

[host::EHRPITVPDBAP30]
TRANSFORMS-clientX_Host = clientXHost

[host::EHRPITVPDBAP31]
TRANSFORMS-clientX_Host = clientXHost

transforms.conf

[clientXHost]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = clientX

I'm assuming I need to do something in transforms.conf to add the field, but am unsure.

Thanks in advance for the help.

sdaniels · ‎05-17-2012

I think an easier way to do this would be using tags. If you have a very large number of servers you could use a look up but in this case it would simply be adding the 'client' tag to the server and then you would be able to say 'tag=clientx' in your search.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Tagthehostfield

Ayn · ‎05-17-2012

Or for that matter lookup files if tags aren't desirable for some reason.

Adding a field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation