Splunk Enterprise

Manual field extraction

uagraw01
Motivator

Hello Splunkers!!

I have a raw event but the fields server ip and server name are not present in this raw event. And I need to extract both these fields in Splunk during index time. Both the fields having static values. What attribute should I use in props and transform so that I can get both these files?

Servername="mobiwick"

ServerIP ="10.30.xx.56.78"

 

Sample raw data :

<?xml version="1.0" encoding="utf-8"?><StaLogMessage original_root="ToLogMessage"><MessageId>6cad0986-d4b2-45e2-b5b1-e6a1af3c6d40</MessageId><MessageTimeStamp>2024-11-24T07:00:00.1115119Z</MessageTimeStamp><SenderFmInstanceName>TOP/Top</SenderFmInstanceName><ReceiverFmInstanceName>BPI/Bpi</ReceiverFmInstanceName><StatisticalElement><StatisticalSubject><MainSubjectId>NICKER</MainSubjectId><SubjectId>Prodtion</SubjectId><SubjectType>PLAN</SubjectType></StatisticalSubject><StatisticalItem><StatisticalId>8</StatisticalId><Period><TimePeriodEnd>2024-11-24T07:00:00Z</TimePeriodEnd><TimePeriodStart>2024-11-24T06:00:00Z</TimePeriodStart></Period><Value>0</Value></StatisticalItem></StatisticalElement></SogMessage>

Labels (1)
0 Karma

meetmshah
Builder

Hello @uagraw01, I believe below should work - 

props.conf - 

[<sourcetype>]
TRANSFORMS-add_fields = add_additional_field

transforms.conf - 

[add_additional_field]
REGEX = .*
FORMAT = ServerName::mobiwick ServerIP::10.30.xx.56.78
WRITE_META = true

 

The above will add additional 2 fields in the events. 

Note that, it will not update the _raw events.

Please accept the solution and hit Karma, if this helps!

uagraw01
Motivator

@meetmshah  Thanks for your suggestion. I will try it definitely

 

Meanwhile before your suggested workaround. I have tried myself with INGEST_EVAL attribute in transforms.conf with props.conf and fields.conf and it is working.

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Two things.

1) If these values are specific to particular sources, I'd add them at the source as _meta entries to an input stanza on the initial forwarder.

2) These will be indexed fields and need to be added to fields.conf. You have to remember to set INDEXED_VALUE=false for them. Otherwise Splunk will not be able to find them unless you explicitly use the fleld::value syntax.

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...