Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to add multiple _meta from one field?

janroc
Explorer
‎02-13-2023 12:22 AM

Hi all,

I want to have on a HF (8.1.4) multiple _meta of one field values in one stanza.
Any sugestion how?

Example:
accountName = a _meta -> _meta = c-team1
accountName = b _meta -> _meta = c-team2
accountName = c _meta -> _meta = c-team3

Regards Jan

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 12:48 AM

Hi @janroc,

as described at https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Configureindex-timefieldextraction, you have to find a regex to identify events to assign values, e.g. if in your events there are the following strings:

accountName = a or accountName = b accountName = c, you have to create something like this:

in props.conf:

[your_sourcetype]
TRANSFORMS-meta_a = override_meta_a
TRANSFORMS-meta_b = override_meta_b
TRANSFORMS-meta_c = override_meta_c

in transforms.conf:

[override_meta_a]
REGEX = accountname\s*\=\s*a
WRITE_META = true
DEST_KEY = _meta
DEFAULT_VALUE = c_team1
SOURCE_KEY = _meta

in addition, you have to add, on your indexers, in fields.conf

INDEXED=true

Ciao.

Giuseppe

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 12:48 AM

Hi @janroc,

as described at https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Configureindex-timefieldextraction, you have to find a regex to identify events to assign values, e.g. if in your events there are the following strings:

accountName = a or accountName = b accountName = c, you have to create something like this:

in props.conf:

[your_sourcetype]
TRANSFORMS-meta_a = override_meta_a
TRANSFORMS-meta_b = override_meta_b
TRANSFORMS-meta_c = override_meta_c

in transforms.conf:

[override_meta_a]
REGEX = accountname\s*\=\s*a
WRITE_META = true
DEST_KEY = _meta
DEFAULT_VALUE = c_team1
SOURCE_KEY = _meta

in addition, you have to add, on your indexers, in fields.conf

INDEXED=true

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 02:11 AM

@janroc,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

janroc
Explorer
‎02-13-2023 01:08 AM

Hi @gcusello ,

Thank you for the answer and sorry for not give you all information.

We have multiple sourcetypes, will your suggestion work OR should I just one stanza per sourcetype in props.conf?

Will the _meta field overwrite the accountname field?
I want to keep the data in the accountname field as it is and add extra _meta from the accountname.

Regards Jan

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 01:18 AM

Hi @janroc,

you should create a stanza for each sourcetype in props.conf, but all stanzas can address the same stanzas in transforms.conf.

One hint: why don't you create an automatic field on your Search Heads?

It's much easier to create and manage and does't give a great load in searches.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...