Splunk Search

Is there a way to configure an index wide props.conf stanza, not just sourcetype?

Motivator

I was reading documentation, though I didn't see anything on if it's possible to set an index wide property within props.conf.

For instance:

    [my_sourcetype]
    REGEX-field1 - field_(?<myfield>\w+)    

Is there a way to add an extracted field to a sourcetype?

Is there such a thing as this, or a way to do it for an entire index?

[my_index]
REGEX-field1 - field_(?<myfield>\w+) 
0 Karma
1 Solution

Champion

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge.

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates systemtype field containing any three letters. If host contained seattle-dcs-001 systemtype would contain dcs.

Cheers I hope this helps

View solution in original post

0 Karma

Champion

You can do this globally for all data within splunk my using the [default] stanza within any props.conf, but not by index at least to my knowledge.

[default]
EXTRACT-<class> = [<regex>|<regex> in <src_field>]

Example:
[default]
EXTRACT-foo = seattle-(?<system_type>\w{3})-\d{3} in host

The host field now creates systemtype field containing any three letters. If host contained seattle-dcs-001 systemtype would contain dcs.

Cheers I hope this helps

View solution in original post

0 Karma

Motivator

Thank you! I knew about this way, but unfortunately I need to limit it by index. =( I didn't think there was a way, but I just wanted to throw it out there and see if I was missing something.

Thank you so much!

0 Karma

Explorer

I believe field extractions have an absolute requirement of selecting a certain sourcetype for performing these extractions. One reason why I could think a global extraction (even if limited to a single index) would be problematic is unnecessary load on Spunk scanning through copious amounts of events to find out that there was no regex match.

I assume that you have events from multiple events from different sourcetypes that you want the same field extraction to be applied to?

-Sean

0 Karma