Splunk Search

Using script to assign custom default fields

jamesvz84
Communicator

I have a powershell script that gets me the AD site name of the local host. It also gives me the IP address of the local host given the hostname. I'd like to add the output of this script as default (metadata) fields for all my events. Is this possible?

For example, host, source, sourcetype (among others) are metadata fields given to me by default. I'd like to add the fields "site" and "ip" (that values of which are provided to me by the script) to the list of metadata fields.

0 Karma
1 Solution

jamesvz84
Communicator

Thanks. Through some more investigation, it seems like automatic lookups are a better option for me and not as invasive as custom metadata/default fields. I can populate the lookup table through periodic running of a saved search that would take the latest host-ip-site data and populate a lookup table, then the automatic lookup will add the ip and site fields to the search results.

Also, looks like I can search on the ip and site fields as well (and not just display on search results), which is great and fulfills my requirements.

View solution in original post

0 Karma

jamesvz84
Communicator

Thanks. Through some more investigation, it seems like automatic lookups are a better option for me and not as invasive as custom metadata/default fields. I can populate the lookup table through periodic running of a saved search that would take the latest host-ip-site data and populate a lookup table, then the automatic lookup will add the ip and site fields to the search results.

Also, looks like I can search on the ip and site fields as well (and not just display on search results), which is great and fulfills my requirements.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...