Currently using a pair of custom indexed fields for qualifying some of our data. For normal inputs this works great using the steps I've included at the end. It does not, however, seem to work with dbmon-tail inputs from the DBConnect app. I really need those input to also have values for the indexed fields, but just specifying the field names like this doesn't work:
[dbmon-tail://MY_DB/mydbqueryname]
host = myhost
index = application
interval = 5m
output.format = mkv
output.timestamp = 1
output.timestamp.column = login_time
query = select * \r\nfrom sometable\r\nwhere login_time >= sysdate-1\r\n{{AND $rising_column$ > ?}}
sourcetype = mysourcetype
table = sometable
tail.rising.column = LOGIN_TIME
meta_customfield1 = "myapp"
meta_customfield2= "Finance Division"
A working process for custom indexed fields that are not dbmon-tail inputs:
To correctly handle the indexed fields meta_customfield1 and meta_customfield2 on a heavy forwarder or indexer:
Step 1: (inputs.conf)
[monitor://tmp/myapp_security.log]
meta_customfield1 = “my_application_name"
meta_customfield2 = “security_info"
sourcetype=mysourcetype
[monitor://tmp/myapp_error.log]
meta_customfield1 = “my_application_name"
meta_customfield2 = “errors"
sourcetype= mysourcetype
Description: This is the same as an inputs.conf file on a universal forwarder, nothing different here.
(you will get warnings about the meta_* names when you restart splunk, this is normal and you can safely ignore them)
Step 2: (props.conf)
[host::*]
TRANSFORMS-generatemeta = generate_field1, generate_field2
Description: This stanza says "for any host, call the two transforms generate_field1 and generate_field2.”
Step 3: (transforms.conf)
[generate_field1]
SOURCE_KEY = meta_customfield1
WRITE_META = true
REPEAT_MATCH = true
FORMAT = meta_customfield1::"$1"
REGEX= ([^:\"]+)
[generate_field2]
SOURCE_KEY = meta_customfield2
WRITE_META = true
REPEAT_MATCH = true
FORMAT = meta_customfield2::"$1"
REGEX= ([^:\"]+)
[accepted_keys]
miketest = meta_customfield1, meta_customfield2
Description: the accepted_keys stanza just lists the new keys we created (otherwise you will get errors). The other two stanzas look at the source_key and keep applying the regex to it creating a new indexed field for each match. So a meta_customfield1 of “finance:banking” would result in a first key of meta_customfield1 = finance and a second indexed field of meta_customfield1 = banking. The WRITE_META tells the transforms to actually make this an indexed field.
Step 4 (This is done on the search head, so in your case this is unnecessary, but it’s a change they made to fields.conf)
[meta_customfield1]
INDEXED = true
[meta_customfield2]
INDEXED=true
Description: This just tells the search head about the two new indexed fields.
After some trial and error I got this working (but it's a bit of a hack, not sure yet why I can't get the normal approach to work with dbmon-tail inputs) as a workaround:
inputs.conf:
[dbmon-tail://MY_DB/mydbqueryname]
# stash the two meta fields in the host name
host = "myhost|myapp:finance division"
index = application
interval = 5m
output.format = mkv
output.timestamp = 1
output.timestamp.column = login_time
query = select * from sometabler where login_time >= sysdate-1 {{AND $rising_column$ > ?}}
sourcetype = mysourcetype
table = sometable
tail.rising.column = LOGIN_TIME
props.conf:
[mysourcetype]
TRANSFORMS-dbmon_create_meta_fields = dbmon_create_field1, dbmon_create_field2, dbmon_clean_host
# These two transforms could be combined, I just am being lazy
[dbmon_create_field1]
SOURCE_KEY=MetaData:Host
REGEX=\w+\|([^\:\"]+)
FORMAT = meta_customfield1::"$1"
WRITE_META = true
[dbmon_create_field2]
SOURCE_KEY=MetaData:Host
REGEX=\w+\|[^\:\"]+\:([^\"]+)
FORMAT = meta_customfield2::"$1"
WRITE_META = true
#This cleans the host field back up to just have the host name
[dbmon_clean_host]
SOURCE_KEY=MetaData:Host
REGEX=\"{0,1}([^\|\"]+)\|
FORMAT = host::$1
DEST_KEY = MetaData:Host
[accepted_keys]
key_ meta_customfield1 = meta_customfield1
key_ meta_customfield2 = meta_customfield1