Splunk Search

Help using EXTRACT to capture a custom static value by source

jason_mannering
Engager

I am trying to find out how to create a custom field that will be available as an index field that I can set as a static value by source type in the prop.conf so that it will be available at search time via the UI . For example:

[source::/temp/weblogic.log]

sourcetype=weblogic-log

EXTRACT-appcomp = "weblogic"

EXTRACT-apptier = "application"

EXTRACT-appname = "e-commerce"

This does not seem to be working and I was hoping you could provide some guidance.

Thanks

Tags (2)
0 Karma

ndoshi
Splunk Employee
Splunk Employee

Use Calculated Fields:

[source::/temp/weblogic.log]
sourcetype=weblogic-log
EVAL-appcomp = "weblogic"
EVAL-apptier = "application"
EVAL-appname = "e-commerce"

aelliott
Motivator

This helped a ton thanks! great for search time extractions.

0 Karma

yannK
Splunk Employee
Splunk Employee

Use a TRANSFORMS in props.conf that will call the name of the transformation,
and in transforms.conf, you specify the regex and the value. (it can be a regex always matching)

see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
and http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf

jason_mannering
Engager

Is there not a simpler way? It seems to me that if i use the TRANSFORM option then I will have to create a separate TRANSFORM stanza for each of the follow...

app-name::website

app-comp::weblogic

app-domain::commerce

app-tier::application

I need to add these for numerous instances, apps, components, domains tiers, etc. Creating the TRANSFORM stanzas for each will take a considerable effort. I effectively want the to be applied to any log we capture with the values set by source.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...