Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Adding a field

timmy13
Communicator
‎05-17-2012 09:46 AM

I have about 30 Univ. forwarders on servers dedicated to clientX. I am currently sending the data to a specific index called clientX via props and transforms. The servers reside in different environments (dev, qa, prod, etc.).

I'd like to add a field at index time to indicate which environment the server belongs to, in order to have the ability to query just that environment (i.e. 'index=clientX env=qa')

Here is a sample of my current configs:

props.conf

[host::EHRPITVPDBAP30]
TRANSFORMS-clientX_Host = clientXHost

[host::EHRPITVPDBAP31]
TRANSFORMS-clientX_Host = clientXHost

transforms.conf

[clientXHost]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = clientX

I'm assuming I need to do something in transforms.conf to add the field, but am unsure.

Thanks in advance for the help.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎05-17-2012 10:16 AM

I think an easier way to do this would be using tags. If you have a very large number of servers you could use a look up but in this case it would simply be adding the 'client' tag to the server and then you would be able to say 'tag=clientx' in your search.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Tagthehostfield

Reply

Ayn
Legend
‎05-17-2012 10:17 AM

Or for that matter lookup files if tags aren't desirable for some reason.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...