Getting Data In

How to add new fields in indexing time depending on condition

snehalk
Communicator

Hello All,

Is this possible in Splunk where we can add new fields and there value will depends on condition? in transforms.conf file? or in fields.conf

eg: while indexing we have field called mynum=6 when this found then splunk need to add new field (at end of each event) called "check" and the value is pass/fail depending on condition and the condition for pass is mynum>5?

something like when i indexed the data in splunk

....my sample log....,check=pass

Can any one help me on this?

Thank you

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi snehalk,

Yes, you can overwrite the raw data to add a new field at index time using the same method for masking sensitive data.

For example, suppose your original log file goes like this:

[22/Apr/2014:00:46:27] VendorID=0001 mynum=4 Code=A
[22/Apr/2014:00:48:40] VendorID=0002 mynum=5 Code=B
[22/Apr/2014:00:50:02] VendorID=0003 mynum=6 Code=C

Assuming your mynum value ranges from 0-9, you can use the REGEX pattern to find identify two brackets of mynum values in your source file (0-5, 6-9), performs transformations based on the values, and overwrites the raw data during the indexing processs.

props.conf

[source::...\\mylog.log]
TRANSFORMS-fail = fail
TRANSFORMS-pass = pass

transforms.conf

[fail]
REGEX = (.*mynum=[0-5])(\s.*)
DEST_KEY = _raw
FORMAT = $1 check=fail $2

[pass]
REGEX = (.*mynum=[6-9])(\s.*)
DEST_KEY = _raw
FORMAT = $1 check=pass $2

Hope it helps. Thanks!
Hunter

snehalk
Communicator

Hello Hunter,

Thanks for reply, is it possible to use like condition mynum>5 because the number can change instate of using regular expression? can we use any arithmetic operator?

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

I'm afraid not, snehalk. Only regex is supported here in transforms.conf. However, if you are dealing with 2-digit or 3-digit numbers, you can still capture them using an appropriate regex expression. Not sure if this helps. Thanks!

0 Karma

snehalk
Communicator

No problem Hunters, Thank you for your inputs.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...