Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

add dynamic field in splunk

chandansingh
Explorer
‎03-03-2011 11:05 AM

Hi everyone , i would like to add a field in splunk.but field value does not come in result.

here my source are:- 1. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest1\host_name\afkcd01_KLZ_Disk_110208.csv 2. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest2\host_name\afkcd01_KLZ_Disk_110208.csv C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest3\host_name\afkcd01_KLZ_Disk_110208.csv

i want add field with name guest, as above sources there are diffirent diffirent guest like guest1, guest2 and guest. so i would like serch result based on guest field like:- index = "tougou" guest="guest1" index = "tougou" guest="guest2" as we know source always come in result. but i dont know how to add field guest in splunk. please help me to resolve this problem. thanx in advnce.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎03-03-2011 02:26 PM

If I understand your question correctly, you want to extract a field from the "source" metadata associated with the event. (That is, not from the "_raw" event text.) As far as I know, the only way to do that is to create an indexed field. There are a number of caveats that go along with creating indexed fields - I would recommend discussing your exact scenario and its performance and other implications with Splunk support. That said, we use this as a basic formula for pulling indexed fields from "source":

(props.conf)
[tougou]
TRANSFORMS-guest=togou_guest

(transforms.conf)
[togou_guest]
SOURCE_KEY=MetaData:Source
REGEX=ntt_tougou\\tougou_logs\\([^\\]+)\\
FORMAT=guest::$1
WRITE_META=true

(I am a little unsure on the backslashes and how many are needed in the regex example. My day job is not Windows)

Docs related to this are at: http://www.splunk.com/base/Documentation/latest/Admin/Configureindex-timefieldextraction

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...