I need to set a value for a site code, which can later be used in searches. It needs to be added in the i_apps so that all data from that country can be grouped together.
Is there a way to do this? Most examples that I have seen are based on an extraction from the event and not just setting a value.
My apps are already split by site or country so if I can set the value at the HWF I can then split the data for searching and set the dashboards to only show the relevant country or sites data to that location.
Because I need to use a string value and using EVAL-site= creates a calculation field I don't think that will work.
Which app would you put that in? I need to change it on the HWF as then it will only need a change to each app and not a change to each client app.
If you have a key value, or field that's specific to each site/country, you can also use a lookup to enrich the data. Typical use cases would be to match hostnames to a specific region. E.g.,
Lookup will run in that app, match the field host, and add a new field called region.
Sadly the hostnames do not match a particular country, hence the need for a new field "site" to allow searches for particular events from a particular site. I already have __i on the sites that I need to seperate, so i was trying to add something to the props.conf or transforms.conf files.
Give some example events and perhaps can recommend some ways to proceed...
The events are all different, from network devices, windows, solaris, linux, hpux so the events don't make any difference as I just want anything going through particular HWF's to have a site code set. This is nothing to do with extracting data to select the site I just want to be able to set "site = Bristol" for example.
HWF 1 & HWF 2 site = BRISTOL
HWF 3 & HWF 4 site = SINGAPORE
HWF 5 & HWF 6 site = NEW-YORK
You can look at adding a field during parsing / indexing.. via http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Configureindex-timefieldextraction#Define_add...
However, this is tolling on the cpu / disk io depending on your data volume.
Looking back to this, a lookup at the parsing (HF) or index layer, which will lookup the hostname and add a site field is much easier except from the maintenance of having to create the lookup file. Performance wise, splunk can handle lookups much faster then event rewrites.
If you're really bent on adding a field manually, then you can do something like this on the HF/indexer, changing the value for mysite to what you want it to be identified as...
DEFAULTVALUE = siteid = mysite
FORMAT = site_id::"$1"
WRITE_META = true
TRANSFORMS-location = site-location