Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add fields to all events, derived from a static application name

nikekeen
New Member
‎06-01-2014 11:43 AM

Our deployed application services have a static deployment name of this format:

{service name}-{environment}-{the release name}

Example: service1-stage-release-1-0-1

Where the tokens I'm interested in are:

  • environment: "stage"
  • release_name: "release-1-0-1"

service1 is irrelevant here since its value is equal to the sourcetype for all events in this application so I can already filter by sourcetype=service1

My goal is for each event to be able to filter thusly:

sourcetype=service1 environment=stage release_name=release-1-0-1

This Deployment Name is currently held as a value in user-data (these are EC2 instances), though we could simply write it out to a splunk config file on first boot of these servers.

I've been reading the props.conf and transforms.conf docs but I have been unable to determine how to enable to functionality described above. Any pointers, links, and/or advice greatly appreciated.

thanks,
Sam

Tags (1)
0 Karma
Reply

Jon_Webster
Splunk Employee
Splunk Employee
‎06-01-2014 08:48 PM

If you're going to assign these fields values based on what server they're collected from at the time of collection, you'll need to set index-time fields, which you can do with the write-meta command. Here's an example from another "answer". Instead of using it by sourcetype, use it by host=*.
http://answers.splunk.com/answers/97641/custom-fields-at-index-time

Reply

nikekeen
New Member
‎06-02-2014 12:29 PM

Jon, thanks for the reply, very helpful.

These props and transforms conf files are working for me, I get app_env, and app-_release fields on the left pane that I can filter by.

Do you see any improvements or simplifications that can be made?

# ---- props.conf ----
[host::*]
TRANSFORMS-release_name = release_name

# ---- transforms.conf -----

[release_name]
REGEX=(.*)
FORMAT=$1 app_env::stage app_release::1-0-13-1
WRITE_META = true
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...