Solved: Custom Fields at index Time

adityapavan18 · ‎08-02-2013

Hi

I know that splunk automatically creates default fields like host,sourcetype,index at index time.And also the splunk provides a option to create any new fields also during index time.

My requirement is that a new field needs to be added at indextime called Component.
Its a constant value based on host and is not available in the eventlogs. Can anyone please suggest the way to do this

Ayn · ‎08-02-2013

Something like this. props.conf:

[your_sourcetype_here]
TRANSFORMS-addcomponent = addcomponent

transforms.conf:

[addcomponent]
SOURCE_KEY = MetaData:Host
REGEX = replace_with_your_host_here
FORMAT = component::your_value_here
WRITE_META = true

I haven't tried this out (I've no Splunk instance to test it on at the moment) but hopefully you get the general idea.

View solution in original post

Ayn · ‎08-02-2013

Something like this. props.conf:

[your_sourcetype_here]
TRANSFORMS-addcomponent = addcomponent

transforms.conf:

[addcomponent]
SOURCE_KEY = MetaData:Host
REGEX = replace_with_your_host_here
FORMAT = component::your_value_here
WRITE_META = true

I haven't tried this out (I've no Splunk instance to test it on at the moment) but hopefully you get the general idea.

adityapavan18 · ‎08-05-2013

Thnx a lot. Tried it and that worked

Custom Fields at index Time

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)