Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to configure an index wide props.conf stanza, not just sourcetype?

tmarlette
Motivator
‎09-16-2015 03:33 PM

I was reading documentation, though I didn't see anything on if it's possible to set an index wide property within props.conf.

For instance:

    [my_sourcetype]
    REGEX-field1 - field_(?<myfield>\w+)

Is there a way to add an extracted field to a sourcetype?

Is there such a thing as this, or a way to do it for an entire index? 

[my_index]
REGEX-field1 - field_(?<myfield>\w+)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-16-2015 04:07 PM

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge. 

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.

Cheers I hope this helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-16-2015 04:07 PM

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge. 

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.

Cheers I hope this helps

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎09-17-2015 08:32 AM

Thank you! I knew about this way, but unfortunately I need to limit it by index. =( I didn't think there was a way, but I just wanted to throw it out there and see if I was missing something.

Thank you so much!

0 Karma
Reply
Solved! Jump to solution

seandevo
Explorer
‎09-16-2015 03:56 PM

I believe field extractions have an absolute requirement of selecting a certain sourcetype for performing these extractions. One reason why I could think a global extraction (even if limited to a single index) would be problematic is unnecessary load on Spunk scanning through copious amounts of events to find out that there was no regex match.

I assume that you have events from multiple events from different sourcetypes that you want the same field extraction to be applied to?

-Sean

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...