In splunk I have a bunch of indexes:
Outside of splunk (in real life), each customer has a codename:
customer01 = "alfa"
customer02 = "beta"
customer03 = "gamma"
What I'm asking for:
In the left column in Splunk Search I see my usual selected fields; "host", "index", "source", "sourcetype", etc.
Here I want to add the field "codename".
By clicking on "index" I see a list of all indexes ("customer01", "customer02", etc).
Simillarly, I would like to be able to click on "codename" and see list of all codenames ("alfa", "beta", etc) to easily filter out a specific customer without having to know its customer number.
(some of my users searching through all non-internal indexes don't know which customer has what number, but they know the customer's codename)
So is there any way to statically add an anternative name to all incoming data (from my universal forwarders)?
All events logged to to index "customer01" should be tagged with "alfa", everything to index "customer02" with "beta", and so on.
If this tagging/aliasing/whatever is possible to do, I would like to do it in the universal forwarder. If that is not possible I can do it on the indexer.
...resulting in events looking someting like this:
ntpd: synchronized to 10.10.10.10, stratum 2
host=foo index=customer02 source=/var/log/foo sourcetype=bar codename=beta
PS: Using lookup-tables seem a bit excessive for this. I simply want to add a static string into the data the easiest way.
Whee! Splunk made it even better than my example above. 🙂
It placed my index-tag "beta" right next to the index-name, making everything very intuitive. Great stuff.
ntpd: synchronized to 10.10.10.10, stratum 2 host=foo index=customer02 beta source=/var/log/foo sourcetype=bar
It's probably easiest to go through the Splunk web interface. Search for
index=customer01, expand an event (black triangle to its left), look for the field index, click actions for that field (blue triangle to its right), click tag, enter "alfa" (no quotes) in the box, done.
That's for Splunk 6, previous versions do the same thing but the steps to get there are a bit different.
I don't think so this is possible (creating alias at index level). (http://answers.splunk.com/answers/42071/any-way-to-create-an-alternate-name-or-alias-for-an-index)
Other cumbersome option will be to configure field alias/automatic lookup at sourcetype level.