Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

add customerID to incoming data (event & metric)

Andre_
Path Finder
‎04-22-2025 08:33 PM

Hello,

We have a few hundred hosts and a handful of customers. I have a csv file with serverName,customerID.

I've been able to add the customerID to incoming events using props.conf/transforms.conf on the HF but I have no luck with metric data. Background - I like to use the customerID later for search restriction in roles.

any suggestions where to start troubleshooting?

Kind Regards
Andre

 

Labels (2)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-23-2025 10:50 AM

@Andre_- FYI, I haven't tried these config on my side so may need to read about them on spec file & Splunk docs.

Also, I'm not sure how metrics based queries will be used for role based restriction.

 

# props.conf.example
[em_metrics]
METRICS_PROTOCOL = statsd
STATSD-DIM-TRANSFORMS = user, queue, app_id, state

# transforms.conf.example
[statsd-dims:user]
REGEX = (\Quser:\E(?<user>.*?)[\Q,\E\Q]\E])

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-23-2025 04:31 AM

Hi @Andre_ 

How are you currently achieving this for event based data? You should be able to set an index-time field for your metric data with INGEST_EVAL or REGEX/WRITE_META.

I guess if you need to use your lookup then you'll need to use INGEST_EVAL. Check out the following community post for an example of this if you havent already done this: https://community.splunk.com/t5/Getting-Data-In/ingest-eval-lookup-example/m-p/534975

Also worthy of a read is https://github.com/silkyrich/ingest_eval_examples/blob/master/default/transforms.conf#L79C2-L79C34

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...