In splunk I have a bunch of indexes:
customer01
customer02
customer03
...
Outside of splunk (in real life), each customer has a codename:
customer01 = "alfa"
customer02 = "beta"
customer03 = "gamma"
...
What I'm asking for:
In the left column in Splunk Search I see my usual selected fields; "host", "index", "source", "sourcetype", etc.
Here I want to add the field "codename".
By clicking on "index" I see a list of all indexes ("customer01", "customer02", etc).
Simillarly, I would like to be able to click on "codename" and see list of all codenames ("alfa", "beta", etc) to easily filter out a specific customer without having to know its customer number.
(some of my users searching through all non-internal indexes don't know which customer has what number, but they know the customer's codename)
So is there any way to statically add an anternative name to all incoming data (from my universal forwarders)?
All events logged to to index "customer01" should be tagged with "alfa", everything to index "customer02" with "beta", and so on.
If this tagging/aliasing/whatever is possible to do, I would like to do it in the universal forwarder. If that is not possible I can do it on the indexer.
...resulting in events looking someting like this:
ntpd[945]: synchronized to 10.10.10.10, stratum 2
host=foo  index=customer02  source=/var/log/foo  sourcetype=bar  codename=betaPS: Using lookup-tables seem a bit excessive for this. I simply want to add a static string into the data the easiest way.
How?
 
		
		
		
		
		
	
			
		
		
			
					
		You can tag your indexes with your codenames, and view them in the field sidebar under tag::index.
 
		
		
		
		
		
	
			
		
		
			
					
		You can tag your indexes with your codenames, and view them in the field sidebar under tag::index.
 
		
		
		
		
		
	
			
		
		
			
					
		Splunk - exceeding expectations where you didn't expect it to 😄
Whee! Splunk made it even better than my example above. 🙂
It placed my index-tag "beta" right next to the index-name, making everything very intuitive. Great stuff.
ntpd[945]: synchronized to 10.10.10.10, stratum 2 host=foo index=customer02 beta source=/var/log/foo sourcetype=bar
Worked like a charm! Thanks!
 
		
		
		
		
		
	
			
		
		
			
					
		Here's an example for tags.conf:
[index=_internal]
foo = enabled
That will add a tag called foo for the index _internal.
 
		
		
		
		
		
	
			
		
		
			
					
		It's probably easiest to go through the Splunk web interface. Search for index=customer01, expand an event (black triangle to its left), look for the field index, click actions for that field (blue triangle to its right), click tag, enter "alfa" (no quotes) in the box, done.
That's for Splunk 6, previous versions do the same thing but the steps to get there are a bit different.
I'm reading the tagging docs but don't fully understand how to do it. 😕
Could I have an example of such a stanza, and in which file it goes?
 
					
				
		
I don't think so this is possible (creating alias at index level). (http://answers.splunk.com/answers/42071/any-way-to-create-an-alternate-name-or-alias-for-an-index)
Other cumbersome option will be to configure field alias/automatic lookup at sourcetype level.
