Is this possible in Splunk where we can add new fields and there value will depends on condition? in
transforms.conf file? or in
eg: while indexing we have field called mynum=6 when this found then splunk need to add new field (at end of each event) called "check" and the value is pass/fail depending on condition and the condition for pass is mynum>5?
something like when i indexed the data in splunk
....my sample log....,check=pass
Can any one help me on this?
Yes, you can overwrite the raw data to add a new field at index time using the same method for masking sensitive data.
For example, suppose your original log file goes like this:
[22/Apr/2014:00:46:27] VendorID=0001 mynum=4 Code=A
[22/Apr/2014:00:48:40] VendorID=0002 mynum=5 Code=B
[22/Apr/2014:00:50:02] VendorID=0003 mynum=6 Code=C
Assuming your mynum value ranges from 0-9, you can use the REGEX pattern to find identify two brackets of mynum values in your source file (0-5, 6-9), performs transformations based on the values, and overwrites the raw data during the indexing processs.
[source::...\\mylog.log] TRANSFORMS-fail = fail TRANSFORMS-pass = pass
[fail] REGEX = (.*mynum=[0-5])(\s.*) DEST_KEY = _raw FORMAT = $1 check=fail $2 [pass] REGEX = (.*mynum=[6-9])(\s.*) DEST_KEY = _raw FORMAT = $1 check=pass $2
Hope it helps. Thanks!
I'm afraid not, snehalk. Only regex is supported here in transforms.conf. However, if you are dealing with 2-digit or 3-digit numbers, you can still capture them using an appropriate regex expression. Not sure if this helps. Thanks!