Splunk Search

add dynamic field in splunk

chandansingh
Explorer

Hi everyone , i would like to add a field in splunk.but field value does not come in result.

here my source are:- 1. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest1\host_name\afkcd01_KLZ_Disk_110208.csv 2. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest2\host_name\afkcd01_KLZ_Disk_110208.csv C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest3\host_name\afkcd01_KLZ_Disk_110208.csv

i want add field with name guest, as above sources there are diffirent diffirent guest like guest1, guest2 and guest. so i would like serch result based on guest field like:- index = "tougou" guest="guest1" index = "tougou" guest="guest2" as we know source always come in result. but i dont know how to add field guest in splunk. please help me to resolve this problem. thanx in advnce.

Tags (1)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

If I understand your question correctly, you want to extract a field from the "source" metadata associated with the event. (That is, not from the "_raw" event text.) As far as I know, the only way to do that is to create an indexed field. There are a number of caveats that go along with creating indexed fields - I would recommend discussing your exact scenario and its performance and other implications with Splunk support. That said, we use this as a basic formula for pulling indexed fields from "source":

(props.conf)
[tougou]
TRANSFORMS-guest=togou_guest

(transforms.conf)
[togou_guest]
SOURCE_KEY=MetaData:Source
REGEX=ntt_tougou\\tougou_logs\\([^\\]+)\\
FORMAT=guest::$1
WRITE_META=true

(I am a little unsure on the backslashes and how many are needed in the regex example. My day job is not Windows)

Docs related to this are at: http://www.splunk.com/base/Documentation/latest/Admin/Configureindex-timefieldextraction

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...