Getting Data In

Field Values to Tags?

dfurtaw
Path Finder

Hi All,

 

I am in an interesting predicament in the environment I work with where our traditional method of tagging devops hosts via UF (in props/transforms) will no longer suffice as the team is moving to kubernetes and using Splunk Connect to forward to the HEC on our SH. 

A few of our Splunk end-users are questioning our ability to dynamically create tags, which they rely heavily on when creating custom reports and dashboards. Long story short, I am curious if there is the ability to assign a field value (i.e, altci) to a tag when a log is sent to the HEC. I believe there may be the ability to do this on the indexer level as data is being sent through the indexing pipeline but I do not have any experience and I can't find any documentation that states this. I would appreciate any type of guidance on this matter. Thank you!

Dan

 

Ideally, it would be something like:

If log has a field named altci, turn the field value into a tag=altcivalue.

 

Labels (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!