Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting field from source for indexing

Krishna_R
Path Finder
‎09-12-2010 12:29 PM

Hi,

I have to add a field which has to be indexed along with the default fields. I can pick up the value from the Source directory name in the monitored path.

For e.g.: inputs.conf:

[monitor://c:\splunk-data\...\*]

I want the new field 'project_number' value from the directory replacing ... (There are a lot of values for 'project' and all the queries will use the 'project' as a filter, so its better indexed)

The problem is I'm not able to extract the field name from the Source. Following is teh configuration files in my app.

fields.conf:

[project_number]
INDEX = True
INDEXED_VALUE = False

props.conf:

[mysourcetype]
EXTRACT-...
TRANSFORM-FIELDS = get_project_num

transforms.conf:

SOURCE_KEY = Metadata:Source
REGEX = C:\\splunk\-data\\([0-9\-]*)\\([0-9\-]*)
FORMAT = project_number::"$1"
WRITE_META=true

The monitor is picking up the new files as I add to test, but the project_number field is never populated.

Please let me know if I'm missing something.

Thank you, Krishna

Tags (1)
Reply

drrushi_splunk
Splunk Employee
Splunk Employee
‎01-31-2012 06:03 PM

[project_number]
INDEX = True
INDEXED_VALUE = False

this should be sufficient:

[project_number]
INDEXED = True

0 Karma
Reply

Branden
Builder
‎09-12-2010 02:08 PM

I think you need to include the [get_project_num] stanza in your transforms.conf. Like this:

[get_project_num]
SOURCE_KEY = MetaData:Source
REGEX = C:\splunk-data\([0-9-])\([0-9-])
FORMAT = project_number::"$1"
WRITE_META = true

I think your regex may be off too. In your inputs.conf, you're monitoring "c:\splunk-data...*". But your transforms.conf regex includes a slash after c:\splunk-data. That may be correct, but it looks inconsistent with what you typed as your inputs.conf example.

Anyways, I hope this helped. 🙂

0 Karma
Reply

Krishna_R
Path Finder
‎09-14-2010 04:01 AM

Hey Branden, thanks for your reply, missed to reply yesterday. I have to use the extra slash for escaping the slash - as with standard regex. Otherwise there are varying error messages...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top