Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help using EXTRACT to capture a custom static value by source

jason_mannering
Engager
‎10-15-2013 08:19 AM

I am trying to find out how to create a custom field that will be available as an index field that I can set as a static value by source type in the prop.conf so that it will be available at search time via the UI . For example:

[source::/temp/weblogic.log]

sourcetype=weblogic-log

EXTRACT-appcomp = "weblogic"

EXTRACT-apptier = "application"

EXTRACT-appname = "e-commerce"

This does not seem to be working and I was hoping you could provide some guidance.

Thanks

Tags (2)
0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎10-15-2013 09:33 AM

Use Calculated Fields:

[source::/temp/weblogic.log]
sourcetype=weblogic-log
EVAL-appcomp = "weblogic"
EVAL-apptier = "application"
EVAL-appname = "e-commerce"
Reply

aelliott
Motivator
‎03-31-2014 07:21 AM

This helped a ton thanks! great for search time extractions.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-15-2013 08:23 AM

Use a TRANSFORMS in props.conf that will call the name of the transformation,
and in transforms.conf, you specify the regex and the value. (it can be a regex always matching)

see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
and http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf

Reply

jason_mannering
Engager
‎10-15-2013 08:56 AM

Is there not a simpler way? It seems to me that if i use the TRANSFORM option then I will have to create a separate TRANSFORM stanza for each of the follow...

app-name::website

app-comp::weblogic

app-domain::commerce

app-tier::application

I need to add these for numerous instances, apps, components, domains tiers, etc. Creating the TRANSFORM stanzas for each will take a considerable effort. I effectively want the to be applied to any log we capture with the values set by source.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...