Splunk Search

Dynamic defaults for index-time field extraction?


I've a couple of index-time field extractions. In events that are missing one of these fields, is there a way to assign the most recently extracted value for that field from this source/sourcetype? The same behavior I see with timestamp inference, I'd like to be able to have for a non-default field extraction.

Tags (2)
0 Karma

Esteemed Legend

Not really at index time but you can at search time like this:

| streamstats MyFieldAlways=last(MyField) | <your normal search stuff but use "MyFieldAlways" instead of "MyField">
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!