Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to add an indexed field in a distributed s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks,
I'm trying to add an indexed field to a distributed setup, but I can't seem to get it working. (I'm aware that indexed fields are not typically recommended)
Here's the scenario: I have multiple indexers at different locations. I need to add a field to every message that is processed which includes the site where it came from.
On my search head (which is distributing the confs to the indexers), I have the following:
/opt/splunk/etc/system/local/props.conf:
[syslog]
TRANSFORMS-location = add_location
/opt/splunk/etc/system/local/transforms.conf
[add_location]
SOURCE_KEY = location
REGEX = (.*)
FORMAT = location::$1
WRITE_META = true
/opt/splunk/etc/system/local/fields.conf
[location]
INDEXED = true
INDEXED_VALUE = false
On the indexer I'm testing with, I have the following:
/opt/splunk/etc/apps/search/local/inputs.conf
[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
location = ny
I found a similar question that I've used as a guide.
Any ideas? Are there any logs/commands that I can use to see why the indexed field isn't getting added to the events?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get this working. Here's what my conf files look now:
/opt/splunk/etc/system/local/props.conf:
[syslog]
# TRANSFORMS-location = add_location
/opt/splunk/etc/system/local/transforms.conf
# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true
/opt/splunk/etc/system/local/fields.conf
# [location]
# INDEXED = true
# INDEXED_VALUE = false
On the indexer I'm testing with, I have the following:
/opt/splunk/etc/apps/search/local/inputs.conf
[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should be noted that the field splunk_server is included in every event, and this indicates which indexer it came from. You can search or report on this field. If you must have a field by another name and map the splunk_server names to locations, you would be better off using a lookup table to map splunk_server names to location values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get this working. Here's what my conf files look now:
/opt/splunk/etc/system/local/props.conf:
[syslog]
# TRANSFORMS-location = add_location
/opt/splunk/etc/system/local/transforms.conf
# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true
/opt/splunk/etc/system/local/fields.conf
# [location]
# INDEXED = true
# INDEXED_VALUE = false
On the indexer I'm testing with, I have the following:
/opt/splunk/etc/apps/search/local/inputs.conf
[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy
The OpenTelemetry Certified Associate (OTCA) Exam
From Manual to Agentic: Level Up Your SOC at Cisco Live
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)
