Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add metadata to ANY event by default?

tpaulsen
Contributor
‎03-07-2013 02:29 AM

Hello,

we have several very spread environments and we have the need to have any event in our Splunk 5 to not only have metadata like host or source, but also two additional fields. I already took a close look into this: http://splunk-base.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forw... but that doesn´t fit in our case, since we would like to have ALL events by default getting the two additional fields, which btw. will be extracted from each Forwarder. How can we achieve this?

Thank you!

0 Karma
Reply

tpaulsen
Contributor
‎03-26-2013 03:47 AM

Ok, we use the Lookup Table method, which we still have to half manually need to generate, but at least it´s working now.

We have a CSV with FQDN and all the other fields we need, and use an automatic lookup definition:

inventory_lookup fqdn AS fqdn OUTPUTNEW environment AS environment FOOgroup AS FOOgroup FOOvertical AS FOOvertical
0 Karma
Reply

stefandagerman
Path Finder
‎03-08-2013 01:19 PM

Take a look here and note that this is NOT a recommended practice due to the impact on indexing performance

0 Karma
Reply

tpaulsen
Contributor
‎03-21-2013 03:13 AM

Unfortunately the information can´t be retrieved by a RegEx. It is located in a properties file on each system.

0 Karma
Reply

stefandagerman
Path Finder
‎03-13-2013 08:42 AM

Not quite, the link talks about how to add metadata to indexed data, which is done through props/transforms/fields as well. If you want to add a metadata field to each event, that is how you need to do it.
So, the only open questions are:
What is your system property variable, i.e. where is it defined (environment, config file, etc.)?
and
Can you write a RegEx to retrieve that variable?
If you can't, I don't know of any way to achieve what you are trying to do.

0 Karma
Reply

tpaulsen
Contributor
‎03-13-2013 02:23 AM

Hi, the link is refering to transform and props.conf which are used to extract data from the logfiles, indeed we want to inject data out of a different source, a system property variable, into each event. I still don´t get my head around how to do that.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...