Getting Data In

How can I create custom indexed fields for Splunk DB Connect database inputs?

mbarrie_splunk
Splunk Employee
Splunk Employee

Currently using a pair of custom indexed fields for qualifying some of our data. For normal inputs this works great using the steps I've included at the end. It does not, however, seem to work with dbmon-tail inputs from the DBConnect app. I really need those input to also have values for the indexed fields, but just specifying the field names like this doesn't work:

[dbmon-tail://MY_DB/mydbqueryname]
host = myhost
index = application
interval = 5m
output.format = mkv
output.timestamp = 1
output.timestamp.column = login_time
query = select * \r\nfrom sometable\r\nwhere login_time >= sysdate-1\r\n{{AND $rising_column$ > ?}}
sourcetype = mysourcetype
table = sometable
tail.rising.column = LOGIN_TIME
meta_customfield1 = "myapp"
meta_customfield2= "Finance Division"

A working process for custom indexed fields that are not dbmon-tail inputs:
To correctly handle the indexed fields meta_customfield1 and meta_customfield2 on a heavy forwarder or indexer:

Step 1: (inputs.conf)
[monitor://tmp/myapp_security.log]
meta_customfield1 = “my_application_name"
meta_customfield2 = “security_info"
sourcetype=mysourcetype

[monitor://tmp/myapp_error.log]
meta_customfield1 = “my_application_name"
meta_customfield2 = “errors"
sourcetype= mysourcetype

Description: This is the same as an inputs.conf file on a universal forwarder, nothing different here.
(you will get warnings about the meta_* names when you restart splunk, this is normal and you can safely ignore them)

Step 2: (props.conf)

[host::*]
TRANSFORMS-generatemeta = generate_field1, generate_field2

Description: This stanza says "for any host, call the two transforms generate_field1 and generate_field2.”

Step 3: (transforms.conf)
[generate_field1]
SOURCE_KEY = meta_customfield1
WRITE_META = true
REPEAT_MATCH = true
FORMAT = meta_customfield1::"$1"
REGEX= ([^:\"]+)

[generate_field2]
SOURCE_KEY = meta_customfield2
WRITE_META = true
REPEAT_MATCH = true
FORMAT = meta_customfield2::"$1"
REGEX= ([^:\"]+)

[accepted_keys]
miketest = meta_customfield1, meta_customfield2

Description: the accepted_keys stanza just lists the new keys we created (otherwise you will get errors). The other two stanzas look at the source_key and keep applying the regex to it creating a new indexed field for each match. So a meta_customfield1 of “finance:banking” would result in a first key of meta_customfield1 = finance and a second indexed field of meta_customfield1 = banking. The WRITE_META tells the transforms to actually make this an indexed field.

Step 4 (This is done on the search head, so in your case this is unnecessary, but it’s a change they made to fields.conf)
[meta_customfield1]
INDEXED = true

[meta_customfield2]
INDEXED=true

Description: This just tells the search head about the two new indexed fields.

0 Karma

mbarrie_splunk
Splunk Employee
Splunk Employee

After some trial and error I got this working (but it's a bit of a hack, not sure yet why I can't get the normal approach to work with dbmon-tail inputs) as a workaround:

inputs.conf:
[dbmon-tail://MY_DB/mydbqueryname]
# stash the two meta fields in the host name
host = "myhost|myapp:finance division"
index = application
interval = 5m
output.format = mkv
output.timestamp = 1
output.timestamp.column = login_time
query = select * from sometabler where login_time >= sysdate-1 {{AND $rising_column$ > ?}}
sourcetype = mysourcetype
table = sometable
tail.rising.column = LOGIN_TIME

props.conf:
[mysourcetype]
TRANSFORMS-dbmon_create_meta_fields = dbmon_create_field1, dbmon_create_field2, dbmon_clean_host

#  These two transforms could be combined, I just am being lazy
[dbmon_create_field1]
SOURCE_KEY=MetaData:Host
REGEX=\w+\|([^\:\"]+)
FORMAT = meta_customfield1::"$1"
WRITE_META = true

[dbmon_create_field2]
SOURCE_KEY=MetaData:Host
REGEX=\w+\|[^\:\"]+\:([^\"]+)
FORMAT = meta_customfield2::"$1"
WRITE_META = true

#This cleans the host field back up to just have the host name
[dbmon_clean_host]
SOURCE_KEY=MetaData:Host
REGEX=\"{0,1}([^\|\"]+)\|
FORMAT = host::$1
DEST_KEY = MetaData:Host

[accepted_keys]
key_ meta_customfield1 = meta_customfield1
key_ meta_customfield2 = meta_customfield1
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...