Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to configure an index wide props.conf stanza, not just sourcetype?

tmarlette
Motivator
‎09-16-2015 03:33 PM

I was reading documentation, though I didn't see anything on if it's possible to set an index wide property within props.conf.

For instance:

    [my_sourcetype]
    REGEX-field1 - field_(?<myfield>\w+)

Is there a way to add an extracted field to a sourcetype?

Is there such a thing as this, or a way to do it for an entire index? 

[my_index]
REGEX-field1 - field_(?<myfield>\w+)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-16-2015 04:07 PM

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge. 

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.

Cheers I hope this helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-16-2015 04:07 PM

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge. 

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates system_type field containing any three letters. If host contained seattle-dcs-001 system_type would contain dcs.

Cheers I hope this helps

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎09-17-2015 08:32 AM

Thank you! I knew about this way, but unfortunately I need to limit it by index. =( I didn't think there was a way, but I just wanted to throw it out there and see if I was missing something.

Thank you so much!

0 Karma
Reply
Solved! Jump to solution

seandevo
Explorer
‎09-16-2015 03:56 PM

I believe field extractions have an absolute requirement of selecting a certain sourcetype for performing these extractions. One reason why I could think a global extraction (even if limited to a single index) would be problematic is unnecessary load on Spunk scanning through copious amounts of events to find out that there was no regex match.

I assume that you have events from multiple events from different sourcetypes that you want the same field extraction to be applied to?

-Sean

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...