Getting Data In
Highlighted

How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Explorer

I need to set a value for a site code, which can later be used in searches. It needs to be added in the i_apps so that all data from that country can be grouped together.
Is there a way to do this? Most examples that I have seen are based on an extraction from the event and not just setting a value.

My apps are already split by site or country so if I can set the value at the HWF I can then split the data for searching and set the dashboards to only show the relevant country or sites data to that location.

0 Karma
Highlighted

Re: How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Splunk Employee
Splunk Employee

Use a props.conf EVAL statement.

0 Karma
Highlighted

Re: How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Explorer

Because I need to use a string value and using EVAL-site= creates a calculation field I don't think that will work.

0 Karma
Highlighted

Re: How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Builder

if understand correctly:

you can add in forwarder
_meta = site::

0 Karma
Highlighted

Re: How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Explorer

Which app would you put that in? I need to change it on the HWF as then it will only need a change to each app and not a change to each client app.

0 Karma
Highlighted

Re: How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Splunk Employee
Splunk Employee

If you have a key value, or field that's specific to each site/country, you can also use a lookup to enrich the data. Typical use cases would be to match hostnames to a specific region. E.g.,

hostname,country

host1,america

host2,emea

host3,apac

host4,emea

Lookup will run in that app, match the field host, and add a new field called region.

0 Karma
Highlighted

Re: How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Explorer

Sadly the hostnames do not match a particular country, hence the need for a new field "site" to allow searches for particular events from a particular site. I already have __i on the sites that I need to seperate, so i was trying to add something to the props.conf or transforms.conf files.

0 Karma
Highlighted

Re: How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Splunk Employee
Splunk Employee

Give some example events and perhaps can recommend some ways to proceed...

0 Karma
Highlighted

Re: How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Explorer

The events are all different, from network devices, windows, solaris, linux, hpux so the events don't make any difference as I just want anything going through particular HWF's to have a site code set. This is nothing to do with extracting data to select the site I just want to be able to set "site = Bristol" for example.
eg
HWF 1 & HWF 2 site = BRISTOL
HWF 3 & HWF 4 site = SINGAPORE
HWF 5 & HWF 6 site = NEW-YORK

0 Karma
Highlighted

Re: How to add a new field called "site" that sets a value for a site code (eg: site=uk) within an i_app in Splunk 6.1?

Splunk Employee
Splunk Employee

You can look at adding a field during parsing / indexing.. via http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Configureindex-timefieldextraction#Define_add...
However, this is tolling on the cpu / disk io depending on your data volume.

Looking back to this, a lookup at the parsing (HF) or index layer, which will lookup the hostname and add a site field is much easier except from the maintenance of having to create the lookup file. Performance wise, splunk can handle lookups much faster then event rewrites.

If you're really bent on adding a field manually, then you can do something like this on the HF/indexer, changing the value for mysite to what you want it to be identified as...

transforms.conf

[site-location]

DEFAULTVALUE = siteid = mysite

FORMAT = site_id::"$1"

WRITE_META = true


props.conf

[testlog]

TRANSFORMS-location = site-location


fields.conf

[site-location]

INDEXED=true

0 Karma