Adding a field

timmy13 · ‎05-17-2012

I have about 30 Univ. forwarders on servers dedicated to clientX. I am currently sending the data to a specific index called clientX via props and transforms. The servers reside in different environments (dev, qa, prod, etc.).

I'd like to add a field at index time to indicate which environment the server belongs to, in order to have the ability to query just that environment (i.e. 'index=clientX env=qa')

Here is a sample of my current configs:

props.conf

[host::EHRPITVPDBAP30]
TRANSFORMS-clientX_Host = clientXHost

[host::EHRPITVPDBAP31]
TRANSFORMS-clientX_Host = clientXHost

transforms.conf

[clientXHost]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = clientX

I'm assuming I need to do something in transforms.conf to add the field, but am unsure.

Thanks in advance for the help.

sdaniels · ‎05-17-2012

I think an easier way to do this would be using tags. If you have a very large number of servers you could use a look up but in this case it would simply be adding the 'client' tag to the server and then you would be able to say 'tag=clientx' in your search.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Tagthehostfield

Ayn · ‎05-17-2012

Or for that matter lookup files if tags aren't desirable for some reason.

Adding a field

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

Adding a field

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud