Why am I not able to tag single events when they d...

Splunk Search

The original problem I am trying to fix is that I am not able to tag single events since they dont have a small enough field to use for the tags(only unique field was over 1024 chars). The solution for this was to create on the sourcetype we care about a field that would generate sha256 values making a unique field.

What i have added in the local diretory of the TA for the sourcetype:

transforms.conf

[add_event_hash]
INGEST_EVAL = event_hash=sha256(_raw)
FORMAT = event_hash::$1
WRITE_META = true

props.conf

[thor]
TRANSFORM-event_hash = add_event_hash

and fields.conf

[event_hash]
INDEXED = true

The result after restarting Splunk and re-importing the data is that the field is successfully created with the value we want, yet the field value is not searchable. The search generates 0 results when searching for

event_hash=<hash>

but only generates the correct result when using

event_hash=*<hash>*

any assistance would be much appreciated

Get Updates on the Splunk Community!

Why am I not able to tag single events when they don't have a small enough field to use for the tags?

field extraction

fields

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?