Getting Data In

How to add an indexed field in a distributed setup?

Explorer

Hi folks,

I'm trying to add an indexed field to a distributed setup, but I can't seem to get it working. (I'm aware that indexed fields are not typically recommended)

Here's the scenario: I have multiple indexers at different locations. I need to add a field to every message that is processed which includes the site where it came from.

On my search head (which is distributing the confs to the indexers), I have the following:

/opt/splunk/etc/system/local/props.conf:

[syslog]
TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

[add_location]
SOURCE_KEY = location
REGEX = (.*)
FORMAT = location::$1
WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

[location]
INDEXED = true
INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
location = ny

I found a similar question that I've used as a guide.

Any ideas? Are there any logs/commands that I can use to see why the indexed field isn't getting added to the events?

Thanks.

Tags (2)
1 Solution

Explorer

I was able to get this working. Here's what my conf files look now:

/opt/splunk/etc/system/local/props.conf:

[syslog]
# TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

# [location]
# INDEXED = true
# INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

It should be noted that the field splunk_server is included in every event, and this indicates which indexer it came from. You can search or report on this field. If you must have a field by another name and map the splunk_server names to locations, you would be better off using a lookup table to map splunk_server names to location values.

0 Karma

Explorer

I was able to get this working. Here's what my conf files look now:

/opt/splunk/etc/system/local/props.conf:

[syslog]
# TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

# [location]
# INDEXED = true
# INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy

View solution in original post

0 Karma