Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to add multiple _meta from one field?

janroc
Explorer
‎02-13-2023 12:22 AM

Hi all,

I want to have on a HF (8.1.4) multiple _meta of one field values in one stanza.
Any sugestion how?

Example:
accountName = a _meta -> _meta = c-team1
accountName = b _meta -> _meta = c-team2
accountName = c _meta -> _meta = c-team3

Regards Jan

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 12:48 AM

Hi @janroc,

as described at https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Configureindex-timefieldextraction, you have to find a regex to identify events to assign values, e.g. if in your events there are the following strings:

accountName = a or accountName = b accountName = c, you have to create something like this:

in props.conf:

[your_sourcetype]
TRANSFORMS-meta_a = override_meta_a
TRANSFORMS-meta_b = override_meta_b
TRANSFORMS-meta_c = override_meta_c

in transforms.conf:

[override_meta_a]
REGEX = accountname\s*\=\s*a
WRITE_META = true
DEST_KEY = _meta
DEFAULT_VALUE = c_team1
SOURCE_KEY = _meta

in addition, you have to add, on your indexers, in fields.conf

INDEXED=true

Ciao.

Giuseppe

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 12:48 AM

Hi @janroc,

as described at https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Configureindex-timefieldextraction, you have to find a regex to identify events to assign values, e.g. if in your events there are the following strings:

accountName = a or accountName = b accountName = c, you have to create something like this:

in props.conf:

[your_sourcetype]
TRANSFORMS-meta_a = override_meta_a
TRANSFORMS-meta_b = override_meta_b
TRANSFORMS-meta_c = override_meta_c

in transforms.conf:

[override_meta_a]
REGEX = accountname\s*\=\s*a
WRITE_META = true
DEST_KEY = _meta
DEFAULT_VALUE = c_team1
SOURCE_KEY = _meta

in addition, you have to add, on your indexers, in fields.conf

INDEXED=true

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 02:11 AM

@janroc,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

janroc
Explorer
‎02-13-2023 01:08 AM

Hi @gcusello ,

Thank you for the answer and sorry for not give you all information.

We have multiple sourcetypes, will your suggestion work OR should I just one stanza per sourcetype in props.conf?

Will the _meta field overwrite the accountname field?
I want to keep the data in the accountname field as it is and add extra _meta from the accountname.

Regards Jan

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 01:18 AM

Hi @janroc,

you should create a stanza for each sourcetype in props.conf, but all stanzas can address the same stanzas in transforms.conf.

One hint: why don't you create an automatic field on your Search Heads?

It's much easier to create and manage and does't give a great load in searches.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...