Knowledge Management

Add an alternative name as an extra index identifier

elof
Path Finder

In splunk I have a bunch of indexes:

customer01
customer02
customer03
...

Outside of splunk (in real life), each customer has a codename:

customer01 = "alfa"
customer02 = "beta"
customer03 = "gamma"
...

What I'm asking for:

In the left column in Splunk Search I see my usual selected fields; "host", "index", "source", "sourcetype", etc.

Here I want to add the field "codename".

By clicking on "index" I see a list of all indexes ("customer01", "customer02", etc).

Simillarly, I would like to be able to click on "codename" and see list of all codenames ("alfa", "beta", etc) to easily filter out a specific customer without having to know its customer number.

(some of my users searching through all non-internal indexes don't know which customer has what number, but they know the customer's codename)

So is there any way to statically add an anternative name to all incoming data (from my universal forwarders)?

All events logged to to index "customer01" should be tagged with "alfa", everything to index "customer02" with "beta", and so on.

If this tagging/aliasing/whatever is possible to do, I would like to do it in the universal forwarder. If that is not possible I can do it on the indexer.

...resulting in events looking someting like this:

ntpd[945]: synchronized to 10.10.10.10, stratum 2
host=foo index=customer02 source=/var/log/foo sourcetype=bar codename=beta

PS: Using lookup-tables seem a bit excessive for this. I simply want to add a static string into the data the easiest way.

How?

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can tag your indexes with your codenames, and view them in the field sidebar under tag::index.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You can tag your indexes with your codenames, and view them in the field sidebar under tag::index.

martin_mueller
SplunkTrust
SplunkTrust

Splunk - exceeding expectations where you didn't expect it to 😄

elof
Path Finder

Whee! Splunk made it even better than my example above. 🙂
It placed my index-tag "beta" right next to the index-name, making everything very intuitive. Great stuff.

ntpd[945]: synchronized to 10.10.10.10, stratum 2
host=foo  index=customer02 beta  source=/var/log/foo  sourcetype=bar

elof
Path Finder

Worked like a charm! Thanks!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Here's an example for tags.conf:

[index=_internal]
foo = enabled

That will add a tag called foo for the index _internal.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

It's probably easiest to go through the Splunk web interface. Search for index=customer01, expand an event (black triangle to its left), look for the field index, click actions for that field (blue triangle to its right), click tag, enter "alfa" (no quotes) in the box, done.

That's for Splunk 6, previous versions do the same thing but the steps to get there are a bit different.

elof
Path Finder

I'm reading the tagging docs but don't fully understand how to do it. 😕

Could I have an example of such a stanza, and in which file it goes?

0 Karma

somesoni2
Revered Legend

I don't think so this is possible (creating alias at index level). (http://answers.splunk.com/answers/42071/any-way-to-create-an-alternate-name-or-alias-for-an-index)

Other cumbersome option will be to configure field alias/automatic lookup at sourcetype level.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...