Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: passing source script file name in another fie...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
passing source script file name in another field before indexing
i have a script which will be executed from inputs.conf but i need the script file name in a new field instead of source tag.
since i have a default source name configured. i want to add script file(source script) Name to the data indexed in the new field.
[script:///$SPLUNK_HOME/etc/apps/KIO/bin/Stats.py]
interval = * * * * *
source = siebel
sourcetype = inflowstats
disabled = False
index = index1
host=server1
Script=ScriptName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how about ingest_eval or DEST_KEY in transforms.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa is it possible to hardcode the value ? to any new field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know hardcode .
the field value is indexed as new value by settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa how to do it new field creation with static value at transform.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://answers.splunk.com/answers/817188/add-x-hours-to-epoch-time.html#answer-817198
this answer express to change source field value. it can create another field, also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa I tried this and not getting any results.
transforms.conf
[myeval]
INGEST_EVAL = ScriptName=python_script
props.conf
[testLog]
TRANSFORMS = myeval
fields.conf
[eval_city]
INDEXED = True
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
INGEST_EVAL is eval
use "
and in props.conf, class name is needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa is this correct to extract from source? i want to extract the file name alone. i want regex for this. please help
[extract-source]
SOURCE_KEY = MetaData:Source
FORMAT = job_id::$2
WRITE_META = true
source path will be etc/apps/bin/python.py
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what's $2?
where's REGEX?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
worked by adding default value in inputs.conf directly.
[script://path/your_script.py]
_meta = script_name::abc.py
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas
Analytics Workspace deprecation
Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform
