Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add multiple _meta from one field?

janroc
Explorer
‎02-13-2023 12:22 AM

Hi all,

I want to have on a HF (8.1.4) multiple _meta of one field values in one stanza.
Any sugestion how?

Example:
accountName = a _meta -> _meta = c-team1
accountName = b _meta -> _meta = c-team2
accountName = c _meta -> _meta = c-team3

Regards Jan

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 12:48 AM

Hi @janroc,

as described at https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Configureindex-timefieldextraction, you have to find a regex to identify events to assign values, e.g. if in your events there are the following strings:

accountName = a or accountName = b accountName = c, you have to create something like this:

in props.conf:

[your_sourcetype]
TRANSFORMS-meta_a = override_meta_a
TRANSFORMS-meta_b = override_meta_b
TRANSFORMS-meta_c = override_meta_c

in transforms.conf:

[override_meta_a]
REGEX = accountname\s*\=\s*a
WRITE_META = true
DEST_KEY = _meta
DEFAULT_VALUE = c_team1
SOURCE_KEY = _meta

in addition, you have to add, on your indexers, in fields.conf

INDEXED=true

Ciao.

Giuseppe

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 12:48 AM

Hi @janroc,

as described at https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Configureindex-timefieldextraction, you have to find a regex to identify events to assign values, e.g. if in your events there are the following strings:

accountName = a or accountName = b accountName = c, you have to create something like this:

in props.conf:

[your_sourcetype]
TRANSFORMS-meta_a = override_meta_a
TRANSFORMS-meta_b = override_meta_b
TRANSFORMS-meta_c = override_meta_c

in transforms.conf:

[override_meta_a]
REGEX = accountname\s*\=\s*a
WRITE_META = true
DEST_KEY = _meta
DEFAULT_VALUE = c_team1
SOURCE_KEY = _meta

in addition, you have to add, on your indexers, in fields.conf

INDEXED=true

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 02:11 AM

@janroc,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

janroc
Explorer
‎02-13-2023 01:08 AM

Hi @gcusello ,

Thank you for the answer and sorry for not give you all information.

We have multiple sourcetypes, will your suggestion work OR should I just one stanza per sourcetype in props.conf?

Will the _meta field overwrite the accountname field?
I want to keep the data in the accountname field as it is and add extra _meta from the accountname.

Regards Jan

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2023 01:18 AM

Hi @janroc,

you should create a stanza for each sourcetype in props.conf, but all stanzas can address the same stanzas in transforms.conf.

One hint: why don't you create an automatic field on your Search Heads?

It's much easier to create and manage and does't give a great load in searches.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

AI workloads are different. They demand specialized infrastructure—powerful GPUs, enterprise-grade networking, ...

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...