Splunk Search
Highlighted

Help using EXTRACT to capture a custom static value by source

I am trying to find out how to create a custom field that will be available as an index field that I can set as a static value by source type in the prop.conf so that it will be available at search time via the UI . For example:

[source::/temp/weblogic.log]

sourcetype=weblogic-log

EXTRACT-appcomp = "weblogic"

EXTRACT-apptier = "application"

EXTRACT-appname = "e-commerce"

This does not seem to be working and I was hoping you could provide some guidance.

Thanks

Tags (2)
0 Karma
Highlighted

Re: Help using EXTRACT to capture a custom static value by source

Splunk Employee
Splunk Employee

Use a TRANSFORMS in props.conf that will call the name of the transformation,
and in transforms.conf, you specify the regex and the value. (it can be a regex always matching)

see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
and http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf

Highlighted

Re: Help using EXTRACT to capture a custom static value by source

Is there not a simpler way? It seems to me that if i use the TRANSFORM option then I will have to create a separate TRANSFORM stanza for each of the follow...

app-name::website

app-comp::weblogic

app-domain::commerce

app-tier::application

I need to add these for numerous instances, apps, components, domains tiers, etc. Creating the TRANSFORM stanzas for each will take a considerable effort. I effectively want the to be applied to any log we capture with the values set by source.

0 Karma
Highlighted

Re: Help using EXTRACT to capture a custom static value by source

Splunk Employee
Splunk Employee

Use Calculated Fields:

[source::/temp/weblogic.log]
sourcetype=weblogic-log
EVAL-appcomp = "weblogic"
EVAL-apptier = "application"
EVAL-appname = "e-commerce"
Highlighted

Re: Help using EXTRACT to capture a custom static value by source

Motivator

This helped a ton thanks! great for search time extractions.

0 Karma