Getting Data In

How to add new fields in indexing time depending on condition

Communicator

Hello All,

Is this possible in Splunk where we can add new fields and there value will depends on condition? in transforms.conf file? or in fields.conf

eg: while indexing we have field called mynum=6 when this found then splunk need to add new field (at end of each event) called "check" and the value is pass/fail depending on condition and the condition for pass is mynum>5?

something like when i indexed the data in splunk

....my sample log....,check=pass

Can any one help me on this?

Thank you

0 Karma

Splunk Employee
Splunk Employee

Hi snehalk,

Yes, you can overwrite the raw data to add a new field at index time using the same method for masking sensitive data.

For example, suppose your original log file goes like this:

[22/Apr/2014:00:46:27] VendorID=0001 mynum=4 Code=A
[22/Apr/2014:00:48:40] VendorID=0002 mynum=5 Code=B
[22/Apr/2014:00:50:02] VendorID=0003 mynum=6 Code=C

Assuming your mynum value ranges from 0-9, you can use the REGEX pattern to find identify two brackets of mynum values in your source file (0-5, 6-9), performs transformations based on the values, and overwrites the raw data during the indexing processs.

props.conf

[source::...\\mylog.log]
TRANSFORMS-fail = fail
TRANSFORMS-pass = pass

transforms.conf

[fail]
REGEX = (.*mynum=[0-5])(\s.*)
DEST_KEY = _raw
FORMAT = $1 check=fail $2

[pass]
REGEX = (.*mynum=[6-9])(\s.*)
DEST_KEY = _raw
FORMAT = $1 check=pass $2

Hope it helps. Thanks!
Hunter

Communicator

Hello Hunter,

Thanks for reply, is it possible to use like condition mynum>5 because the number can change instate of using regular expression? can we use any arithmetic operator?

0 Karma

Splunk Employee
Splunk Employee

I'm afraid not, snehalk. Only regex is supported here in transforms.conf. However, if you are dealing with 2-digit or 3-digit numbers, you can still capture them using an appropriate regex expression. Not sure if this helps. Thanks!

0 Karma

Communicator

No problem Hunters, Thank you for your inputs.

0 Karma