Hi everyone , i would like to add a field in splunk.but field value does not come in result.
here my source are:-
1. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest1\host_name\afkcd01_KLZ_Disk_110208.csv
2. C:\Program Files\Splunk\etc\apps\tougou\tougou_logs\guest2\host_name\afkcd01_KLZ_Disk_110208.csv
i want add field with name guest, as above sources there are diffirent diffirent guest like
guest1, guest2 and guest. so i would like serch result based on guest field
index = "tougou" guest="guest1"
index = "tougou" guest="guest2"
as we know source always come in result. but i dont know how to add field guest in splunk.
please help me to resolve this problem.
thanx in advnce.
If I understand your question correctly, you want to extract a field from the "source" metadata associated with the event. (That is, not from the "_raw" event text.) As far as I know, the only way to do that is to create an indexed field. There are a number of caveats that go along with creating indexed fields - I would recommend discussing your exact scenario and its performance and other implications with Splunk support. That said, we use this as a basic formula for pulling indexed fields from "source":