Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add fields to all events, derived from a static application name

nikekeen
New Member
‎06-01-2014 11:43 AM

Our deployed application services have a static deployment name of this format:

{service name}-{environment}-{the release name}

Example: service1-stage-release-1-0-1

Where the tokens I'm interested in are:

  • environment: "stage"
  • release_name: "release-1-0-1"

service1 is irrelevant here since its value is equal to the sourcetype for all events in this application so I can already filter by sourcetype=service1

My goal is for each event to be able to filter thusly:

sourcetype=service1 environment=stage release_name=release-1-0-1

This Deployment Name is currently held as a value in user-data (these are EC2 instances), though we could simply write it out to a splunk config file on first boot of these servers.

I've been reading the props.conf and transforms.conf docs but I have been unable to determine how to enable to functionality described above. Any pointers, links, and/or advice greatly appreciated.

thanks,
Sam

Tags (1)
0 Karma
Reply

Jon_Webster
Splunk Employee
Splunk Employee
‎06-01-2014 08:48 PM

If you're going to assign these fields values based on what server they're collected from at the time of collection, you'll need to set index-time fields, which you can do with the write-meta command. Here's an example from another "answer". Instead of using it by sourcetype, use it by host=*.
http://answers.splunk.com/answers/97641/custom-fields-at-index-time

Reply

nikekeen
New Member
‎06-02-2014 12:29 PM

Jon, thanks for the reply, very helpful.

These props and transforms conf files are working for me, I get app_env, and app-_release fields on the left pane that I can filter by.

Do you see any improvements or simplifications that can be made?

# ---- props.conf ----
[host::*]
TRANSFORMS-release_name = release_name

# ---- transforms.conf -----

[release_name]
REGEX=(.*)
FORMAT=$1 app_env::stage app_release::1-0-13-1
WRITE_META = true
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...