Solved: Re: Field extraction on all inputs

Jordan_Brough · ‎05-30-2012

Is it possible to apply a search-time field extraction to all inputs?

Our log files (across multiple hosts, sources & sourcetypes) are named like: /some/path/[app].XX.log (where XX is a number). Basically we have one logfile per running process.

I would like to automatically extract a field like: source_combined=/some/path/[app]

Here is my transforms.conf:

[source_combined]
CLEAN_KEYS = 1
FORMAT = 
MV_ADD = 0
REGEX = ^(?<source_combined>.*?)(\.\d+)?(\.log)?$
SOURCE_KEY = source

Here is my props.conf that doesn't work:

[*]
REPORT-source_combined = source_combined

This props.conf does work:

[rails]
REPORT-source_combined = source_combined

but only provides the field to the "rails" sourcetype. I want it to apply to all sourcetypes. Is there any way to get my extraction to apply to all sourcetypes rather than just one sourcetype? Is there another way of getting what I want?

sdaniels · ‎05-30-2012

Does this work for your props.conf stanza.

[(?::){0}*]
REPORT-source_combined = source_combined

I was just looking at this. http://splunk-base.splunk.com/answers/24274/can-you-have-a-wildcard-in-a-propsconf-stanza-header-whe...

View solution in original post

sdaniels · ‎05-30-2012

Does this work for your props.conf stanza.

[(?::){0}*]
REPORT-source_combined = source_combined

I was just looking at this. http://splunk-base.splunk.com/answers/24274/can-you-have-a-wildcard-in-a-propsconf-stanza-header-whe...

gkanapathy · ‎05-30-2012

It's not really any different, but you could also have just used either

[source::*]

or

[host::*]

Jordan_Brough · ‎05-30-2012

It does indeed! Thank you very much!

Field extraction on all inputs

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life