Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting field from source for indexing

Krishna_R
Path Finder
‎09-12-2010 12:29 PM

Hi,

I have to add a field which has to be indexed along with the default fields. I can pick up the value from the Source directory name in the monitored path.

For e.g.: inputs.conf:

[monitor://c:\splunk-data\...\*]

I want the new field 'project_number' value from the directory replacing ... (There are a lot of values for 'project' and all the queries will use the 'project' as a filter, so its better indexed)

The problem is I'm not able to extract the field name from the Source. Following is teh configuration files in my app.

fields.conf:

[project_number]
INDEX = True
INDEXED_VALUE = False

props.conf:

[mysourcetype]
EXTRACT-...
TRANSFORM-FIELDS = get_project_num

transforms.conf:

SOURCE_KEY = Metadata:Source
REGEX = C:\\splunk\-data\\([0-9\-]*)\\([0-9\-]*)
FORMAT = project_number::"$1"
WRITE_META=true

The monitor is picking up the new files as I add to test, but the project_number field is never populated.

Please let me know if I'm missing something.

Thank you, Krishna

Tags (1)
Reply

drrushi_splunk
Splunk Employee
Splunk Employee
‎01-31-2012 06:03 PM

[project_number]
INDEX = True
INDEXED_VALUE = False

this should be sufficient:

[project_number]
INDEXED = True

0 Karma
Reply

Branden
Builder
‎09-12-2010 02:08 PM

I think you need to include the [get_project_num] stanza in your transforms.conf. Like this:

[get_project_num]
SOURCE_KEY = MetaData:Source
REGEX = C:\splunk-data\([0-9-])\([0-9-])
FORMAT = project_number::"$1"
WRITE_META = true

I think your regex may be off too. In your inputs.conf, you're monitoring "c:\splunk-data...*". But your transforms.conf regex includes a slash after c:\splunk-data. That may be correct, but it looks inconsistent with what you typed as your inputs.conf example.

Anyways, I hope this helped. 🙂

0 Karma
Reply

Krishna_R
Path Finder
‎09-14-2010 04:01 AM

Hey Branden, thanks for your reply, missed to reply yesterday. I have to use the extra slash for escaping the slash - as with standard regex. Otherwise there are varying error messages...

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...