Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add data to an extracted field?

Jason
Motivator
‎01-27-2011 01:49 AM

A client wishes to pull some data from one of their logs into a search-time-extracted field and prefix it with a bit of text.

However, I know that 

[transformname]
REGEX = ...
FORMAT = fieldname::$1$2

doesn't work, nor does adding any other text into FORMAT. (It will come out as literally what you typed, not with the value of $1.) Looking at regex sites, it doesn't appear possible to get something into a capture group that doesn't actually exist in the event.

Is there any way to add knowledge by concatenation onto a search-time field with props/transforms, without use of the search commands (such as eval)? Concatenation of two extracted fields perhaps?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-27-2011 03:48 AM

There is not, and if you did, it would not be possible to search for the field values (in current versions, 4.1.6 and down). Note a search like myfieldname=fvalue for a search-time field myfieldname is (by default) converted by Splunk into a search for (myfieldname=fvalue AND fvalue), i.e., Splunk will look for fvalue in the raw event text. The transformations you propose above would make this search fail.

You could do something like create an automatic scripted lookup if you like instead, though it must output to a different field name from the input.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-27-2011 03:48 AM

There is not, and if you did, it would not be possible to search for the field values (in current versions, 4.1.6 and down). Note a search like myfieldname=fvalue for a search-time field myfieldname is (by default) converted by Splunk into a search for (myfieldname=fvalue AND fvalue), i.e., Splunk will look for fvalue in the raw event text. The transformations you propose above would make this search fail.

You could do something like create an automatic scripted lookup if you like instead, though it must output to a different field name from the input.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-27-2011 04:30 AM

You could, but then searches over that field effectively turn into "grep", and don't use the search index to find the value.

0 Karma
Reply
Solved! Jump to solution

Jason
Motivator
‎01-27-2011 04:22 AM

Well you could add it to fields.conf with INDEXED_VALUE=false to stop the search term expansion.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...