I need to set a value for a site code, which can later be used in searches. It needs to be added in the i_apps so that all data from that country can be grouped together.
Is there a way to do this? Most examples that I have seen are based on an extraction from the event and not just setting a value.
My apps are already split by site or country so if I can set the value at the HWF I can then split the data for searching and set the dashboards to only show the relevant country or sites data to that location.
If you have a key value, or field that's specific to each site/country, you can also use a lookup to enrich the data. Typical use cases would be to match hostnames to a specific region. E.g.,
hostname,country
host1,america
host2,emea
host3,apac
host4,emea
Lookup will run in that app, match the field host, and add a new field called region.
You can look at adding a field during parsing / indexing.. via http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Configureindex-timefieldextraction#Define_add...
However, this is tolling on the cpu / disk io depending on your data volume.
Looking back to this, a lookup at the parsing (HF) or index layer, which will lookup the hostname and add a site field is much easier except from the maintenance of having to create the lookup file. Performance wise, splunk can handle lookups much faster then event rewrites.
If you're really bent on adding a field manually, then you can do something like this on the HF/indexer, changing the value for mysite to what you want it to be identified as...
transforms.conf
[site-location]
DEFAULT_VALUE = site_id = mysite
FORMAT = site_id::"$1"
WRITE_META = true
props.conf
[testlog]
TRANSFORMS-location = site-location
fields.conf
[site-location]
INDEXED=true
OK will try it out tomorrow with a test system.
The events are all different, from network devices, windows, solaris, linux, hpux so the events don't make any difference as I just want anything going through particular HWF's to have a site code set. This is nothing to do with extracting data to select the site I just want to be able to set "site = Bristol" for example.
eg
HWF 1 & HWF 2 site = BRISTOL
HWF 3 & HWF 4 site = SINGAPORE
HWF 5 & HWF 6 site = NEW-YORK
Give some example events and perhaps can recommend some ways to proceed...
Sadly the hostnames do not match a particular country, hence the need for a new field "site" to allow searches for particular events from a particular site. I already have __i on the sites that I need to seperate, so i was trying to add something to the props.conf or transforms.conf files.
if understand correctly:
you can add in forwarder
_meta = site::
Which app would you put that in? I need to change it on the HWF as then it will only need a change to each app and not a change to each client app.
Use a props.conf EVAL statement.
Because I need to use a string value and using EVAL-site= creates a calculation field I don't think that will work.