Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

passing source script file name in another field before indexing

DataOrg
Builder
‎04-21-2020 01:58 AM

i have a script which will be executed from inputs.conf but i need the script file name in a new field instead of source tag.
since i have a default source name configured. i want to add script file(source script) Name to the data indexed in the new field.

[script:///$SPLUNK_HOME/etc/apps/KIO/bin/Stats.py]
    interval = * * * * *
    source = siebel
    sourcetype = inflowstats
    disabled = False 
    index = index1
    host=server1
    Script=ScriptName
0 Karma
Reply

harsmarvania57
Ultra Champion
‎04-23-2020 04:14 AM

Duplicate of https://answers.splunk.com/answers/818655/i-need-to-index-the-source-field-value-into-new-fi.html

0 Karma
Reply

to4kawa
Ultra Champion
‎04-21-2020 02:17 AM

how about ingest_eval or DEST_KEY in transforms.conf?

0 Karma
Reply

DataOrg
Builder
‎04-21-2020 02:45 AM

@to4kawa is it possible to hardcode the value ? to any new field

0 Karma
Reply

to4kawa
Ultra Champion
‎04-21-2020 03:17 AM

I don't know hardcode .
the field value is indexed as new value by settings.

0 Karma
Reply

DataOrg
Builder
‎04-21-2020 04:03 AM

@to4kawa how to do it new field creation with static value at transform.conf

0 Karma
Reply

to4kawa
Ultra Champion
‎04-21-2020 04:34 AM

https://answers.splunk.com/answers/817188/add-x-hours-to-epoch-time.html#answer-817198

this answer express to change source field value. it can create another field, also.

0 Karma
Reply

DataOrg
Builder
‎04-21-2020 07:54 AM

@to4kawa I tried this and not getting any results.

transforms.conf
 [myeval]
 INGEST_EVAL = ScriptName=python_script

 props.conf
 [testLog]
 TRANSFORMS = myeval

fields.conf
 [eval_city]
 INDEXED = True
0 Karma
Reply

to4kawa
Ultra Champion
‎04-21-2020 12:41 PM

INGEST_EVAL is eval
use "
and in props.conf, class name is needed.

0 Karma
Reply

DataOrg
Builder
‎04-22-2020 12:17 AM

@to4kawa is this correct to extract from source? i want to extract the file name alone. i want regex for this. please help

[extract-source]
SOURCE_KEY = MetaData:Source
FORMAT = job_id::$2
WRITE_META = true

source path will be etc/apps/bin/python.py

0 Karma
Reply

to4kawa
Ultra Champion
‎04-22-2020 01:38 AM

what's $2?
where's REGEX?

0 Karma
Reply

DataOrg
Builder
‎04-23-2020 01:12 AM

worked by adding default value in inputs.conf directly.
[script://path/your_script.py]
_meta = script_name::abc.py

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...