Getting Data In

How to add an indexed field in a distributed setup?

infrauser
Explorer

Hi folks,

I'm trying to add an indexed field to a distributed setup, but I can't seem to get it working. (I'm aware that indexed fields are not typically recommended)

Here's the scenario: I have multiple indexers at different locations. I need to add a field to every message that is processed which includes the site where it came from.

On my search head (which is distributing the confs to the indexers), I have the following:

/opt/splunk/etc/system/local/props.conf:

[syslog]
TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

[add_location]
SOURCE_KEY = location
REGEX = (.*)
FORMAT = location::$1
WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

[location]
INDEXED = true
INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
location = ny

I found a similar question that I've used as a guide.

Any ideas? Are there any logs/commands that I can use to see why the indexed field isn't getting added to the events?

Thanks.

Tags (2)
1 Solution

infrauser
Explorer

I was able to get this working. Here's what my conf files look now:

/opt/splunk/etc/system/local/props.conf:

[syslog]
# TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

# [location]
# INDEXED = true
# INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It should be noted that the field splunk_server is included in every event, and this indicates which indexer it came from. You can search or report on this field. If you must have a field by another name and map the splunk_server names to locations, you would be better off using a lookup table to map splunk_server names to location values.

0 Karma

infrauser
Explorer

I was able to get this working. Here's what my conf files look now:

/opt/splunk/etc/system/local/props.conf:

[syslog]
# TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

# [location]
# INDEXED = true
# INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...