I missed a field in my custom sourcetype

riotto · ‎10-05-2016

I am trying to add a field that I missed on my custom sourcetype. If I add it to the transforms.conf, the data (event) stops getting indexed. My transforms is a simple delimited fields entry. Is there a way to add this field to the event after the missing it? Also, will
the indexer enter a second event that has the same host, source, sourcetype and event time (_time) ? ...a duplicate event ?

riotto · ‎10-05-2016

The data is just integers for each field 202,109,497,3455,223,227,884,334,964 (...level9)

riotto · ‎10-05-2016

inputs.conf
[script://./bin/test.sh]
interval = 60
sourcetype = leveltest
source= leveltest
index = os
disabled = 0

props.conf:
[leveltest]
SHOULD_LINEMERGE = False
pulldown_type = 1
REPORT-level= LEVEL

transforms.conf:
[LEVEL]
DELIMS = ","
FIELDS =level1, level2, level3, level4, level5, level6, level7, level8 (..need to add level9)

dmaislin_splunk · ‎10-05-2016

Need more detail. What does your inputs.conf, props.conf, and transforms.conf look like?

dmaislin_splunk · ‎10-05-2016

And maybe add a sample set of events to the post.

I missed a field in my custom sourcetype

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases