Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Manual field extraction

uagraw01
Motivator
‎11-24-2024 12:51 AM

Hello Splunkers!!

I have a raw event but the fields server ip and server name are not present in this raw event. And I need to extract both these fields in Splunk during index time. Both the fields having static values. What attribute should I use in props and transform so that I can get both these files?

Servername="mobiwick"

ServerIP ="10.30.xx.56.78"

 

Sample raw data :

<?xml version="1.0" encoding="utf-8"?><StaLogMessage original_root="ToLogMessage"><MessageId>6cad0986-d4b2-45e2-b5b1-e6a1af3c6d40</MessageId><MessageTimeStamp>2024-11-24T07:00:00.1115119Z</MessageTimeStamp><SenderFmInstanceName>TOP/Top</SenderFmInstanceName><ReceiverFmInstanceName>BPI/Bpi</ReceiverFmInstanceName><StatisticalElement><StatisticalSubject><MainSubjectId>NICKER</MainSubjectId><SubjectId>Prodtion</SubjectId><SubjectType>PLAN</SubjectType></StatisticalSubject><StatisticalItem><StatisticalId>8</StatisticalId><Period><TimePeriodEnd>2024-11-24T07:00:00Z</TimePeriodEnd><TimePeriodStart>2024-11-24T06:00:00Z</TimePeriodStart></Period><Value>0</Value></StatisticalItem></StatisticalElement></SogMessage>

0 Karma
Reply

meetmshah
Builder
‎11-24-2024 02:25 AM

Hello @uagraw01, I believe below should work - 

props.conf - 

[<sourcetype>]
TRANSFORMS-add_fields = add_additional_field

transforms.conf - 

[add_additional_field]
REGEX = .*
FORMAT = ServerName::mobiwick ServerIP::10.30.xx.56.78
WRITE_META = true

 

The above will add additional 2 fields in the events. 

Note that, it will not update the _raw events.

Please accept the solution and hit Karma, if this helps!

Reply

uagraw01
Motivator
‎11-24-2024 03:16 AM

@meetmshah  Thanks for your suggestion. I will try it definitely

 

Meanwhile before your suggested workaround. I have tried myself with INGEST_EVAL attribute in transforms.conf with props.conf and fields.conf and it is working.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2024 04:05 AM

Two things.

1) If these values are specific to particular sources, I'd add them at the source as _meta entries to an input stanza on the initial forwarder.

2) These will be indexed fields and need to be added to fields.conf. You have to remember to set INDEXED_VALUE=false for them. Otherwise Splunk will not be able to find them unless you explicitly use the fleld::value syntax.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...