Getting Data In

How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

a599korg
Explorer

I need to set a value for a site code, which can later be used in searches. It needs to be added in the i_apps so that all data from that country can be grouped together.
Is there a way to do this? Most examples that I have seen are based on an extraction from the event and not just setting a value.

My apps are already split by site or country so if I can set the value at the HWF I can then split the data for searching and set the dashboards to only show the relevant country or sites data to that location.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

If you have a key value, or field that's specific to each site/country, you can also use a lookup to enrich the data. Typical use cases would be to match hostnames to a specific region. E.g.,

hostname,country

host1,america

host2,emea

host3,apac

host4,emea

Lookup will run in that app, match the field host, and add a new field called region.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You can look at adding a field during parsing / indexing.. via http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Configureindex-timefieldextraction#Define_add...
However, this is tolling on the cpu / disk io depending on your data volume.

Looking back to this, a lookup at the parsing (HF) or index layer, which will lookup the hostname and add a site field is much easier except from the maintenance of having to create the lookup file. Performance wise, splunk can handle lookups much faster then event rewrites.

If you're really bent on adding a field manually, then you can do something like this on the HF/indexer, changing the value for mysite to what you want it to be identified as...

transforms.conf

[site-location]

DEFAULT_VALUE = site_id = mysite

FORMAT = site_id::"$1"

WRITE_META = true


props.conf

[testlog]

TRANSFORMS-location = site-location


fields.conf

[site-location]

INDEXED=true

0 Karma

a599korg
Explorer

OK will try it out tomorrow with a test system.

0 Karma

a599korg
Explorer

The events are all different, from network devices, windows, solaris, linux, hpux so the events don't make any difference as I just want anything going through particular HWF's to have a site code set. This is nothing to do with extracting data to select the site I just want to be able to set "site = Bristol" for example.
eg
HWF 1 & HWF 2 site = BRISTOL
HWF 3 & HWF 4 site = SINGAPORE
HWF 5 & HWF 6 site = NEW-YORK

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Give some example events and perhaps can recommend some ways to proceed...

0 Karma

a599korg
Explorer

Sadly the hostnames do not match a particular country, hence the need for a new field "site" to allow searches for particular events from a particular site. I already have __i on the sites that I need to seperate, so i was trying to add something to the props.conf or transforms.conf files.

0 Karma

kml_uvce
Builder

if understand correctly:

you can add in forwarder
_meta = site::

0 Karma

a599korg
Explorer

Which app would you put that in? I need to change it on the HWF as then it will only need a change to each app and not a change to each client app.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Use a props.conf EVAL statement.

0 Karma

a599korg
Explorer

Because I need to use a string value and using EVAL-site= creates a calculation field I don't think that will work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...