Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add an indexed field in a distributed setup?

infrauser
Explorer
‎01-03-2011 08:01 PM

Hi folks,

I'm trying to add an indexed field to a distributed setup, but I can't seem to get it working. (I'm aware that indexed fields are not typically recommended)

Here's the scenario: I have multiple indexers at different locations. I need to add a field to every message that is processed which includes the site where it came from.

On my search head (which is distributing the confs to the indexers), I have the following:

/opt/splunk/etc/system/local/props.conf:

[syslog]
TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

[add_location]
SOURCE_KEY = location
REGEX = (.*)
FORMAT = location::$1
WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

[location]
INDEXED = true
INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf 

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
location = ny

I found a similar question that I've used as a guide.

Any ideas? Are there any logs/commands that I can use to see why the indexed field isn't getting added to the events?

Thanks.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

infrauser
Explorer
‎01-04-2011 12:24 AM

I was able to get this working. Here's what my conf files look now:

/opt/splunk/etc/system/local/props.conf:

[syslog]
# TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

# [location]
# INDEXED = true
# INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2011 12:58 AM

It should be noted that the field splunk_server is included in every event, and this indicates which indexer it came from. You can search or report on this field. If you must have a field by another name and map the splunk_server names to locations, you would be better off using a lookup table to map splunk_server names to location values.

0 Karma
Reply
Solved! Jump to solution
Solution

infrauser
Explorer
‎01-04-2011 12:24 AM

I was able to get this working. Here's what my conf files look now:

/opt/splunk/etc/system/local/props.conf:

[syslog]
# TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

# [location]
# INDEXED = true
# INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Top