Re: create index field

rashid47010 · ‎07-20-2023

Hi

we want an indexed field called ‘actual_server’ to indicate the hostname of the forwarder that passed us the data.

My initial thought process is there are might be two options to achieve this

1- hostname available in the logs. which I think is not correct

2- write the system hostname in transforms.conf

I will create an app on CM and roll out this props.conf and transforms.conf against sourcetype=testlog

[testlog]
TRANSFORMS-netscreen = example

[example1]
WRITE_META=true
FORMAT = actual_server::FORWARDER1

and on search head

ields.conf

Add the following lines to fields.conf:

[actual_server]
INDEXED=true

Is this correct ?

Action01 · ‎12-06-2023

We have used this app as a solution to add the forwarder name: https://github.com/aholzel/TA-add_forwarder_name

jotne · ‎07-24-2023

We like to know the name of the HF server the data are passing trough, so we have this app on all our HF server.

prosps.conf

[source::...]
TRANSFORMS_set_hf_server_name = set_hf_server_name

transforms.conf

[set_hf_server_name]
INGEST_EVAL = splunk_hf := splunk_server

This uses the server name, so we do not need to set it. All data will then be searchable using
splunk_hf=<something>

We do also do the same for all collector servers and set splunk_collector (for Syslog/HEC/Azure etc)

PickleRick · ‎07-22-2023

1. If the field value is not included in the raw event, you should set

INDEXED_VALUE=false

in fields.conf

2. If you want to identify particular forwarder by inserting a static value, you might consider adding _meta at input level on the forwarder. The only caveat is that if you wanna add multiple meta fields on the UF it can quickly get ugly.

gcusello · ‎07-20-2023

Hi @rashid47010,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.0/Data/Configureindex-timefieldextraction, it's correct.

Only one question: did you tried to se the hostname in the input stanza od the Forwarder?

Ciao.

Giuseppe

meetmshah · ‎07-20-2023

Hello @rashid47010 Yes this should work.

Note - you have mentioned TRANSFORMS-netscreen = example and have created a stanza as example1 (there is "1" extra in the stanza name, you may want to correct them).

Let me know if ^^ doesn't work

rashid47010 · ‎07-21-2023

hi @meetmshah

below are my props and transform. Still index field is not showing. I have fresh Splunk AIO instance. and I am uploading example log file named access.log

below is sample event

Jul 20 2023 09:37:08 www1 sshd[1654]: Failed password for happy from 2.229.4.58 port 2111 ssh2

Props.conf

[newfield]

TRANSFORMS-test = test_newfield

transforms.conf

[test_newfield]

REGEX = sshd\[(\d+)\]

FORMAT = request::"$1"

INGEST_EVAL = splunk_orig_fwd=host_test

WRITE_META = true

rashid47010 · ‎07-21-2023

Yes, you are right, i recreate the config but still it is not working. Only missing part is updating fields.conf file

let me try again shortly.

please note that i have test splunk AIO server and i am uploading sample access.log file.

How to create index field?

ields.conf

transforms.conf

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off