Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to configure an index wide props.conf stanza, not just sourcetype?

tmarlette
Motivator
‎09-16-2015 03:33 PM

I was reading documentation, though I didn't see anything on if it's possible to set an index wide property within props.conf.

For instance:

    [my_sourcetype]
    REGEX-field1 - field_(?<myfield>\w+)

Is there a way to add an extracted field to a sourcetype?

Is there such a thing as this, or a way to do it for an entire index? 

[my_index]
REGEX-field1 - field_(?<myfield>\w+)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-16-2015 04:07 PM

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge. 

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.

Cheers I hope this helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-16-2015 04:07 PM

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge. 

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.

Cheers I hope this helps

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎09-17-2015 08:32 AM

Thank you! I knew about this way, but unfortunately I need to limit it by index. =( I didn't think there was a way, but I just wanted to throw it out there and see if I was missing something.

Thank you so much!

0 Karma
Reply
Solved! Jump to solution

seandevo
Explorer
‎09-16-2015 03:56 PM

I believe field extractions have an absolute requirement of selecting a certain sourcetype for performing these extractions. One reason why I could think a global extraction (even if limited to a single index) would be problematic is unnecessary load on Spunk scanning through copious amounts of events to find out that there was no regex match.

I assume that you have events from multiple events from different sourcetypes that you want the same field extraction to be applied to?

-Sean

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...