Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to extract fields from one event in a log file and append them to other events in same log?

blee_i365
Explorer
‎06-06-2011 11:29 AM

My log files:

=============

2011-06-05 05:11:23.234 Program Version 10.02.2345

2011-06-05 05:11:23.239 event 1

2011-06-05 05:11:23.250 event 2

...

...

2011-06-05 10:10:13.150 event 20000

2011-06-05 10:10:13.151 event 20001

=============

I'd like to include a "ProgramVersion" field with value "10.02.2345" in all events contained in the same log file. With field extraction I can easily create this field and assign it the value 10.02.2345. However this field is not associated with subsequent events. Is there a way to achieve this?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎06-08-2011 09:51 AM

Ah, gotcha. Something like this maybe:

source=mysource.log event=* | appendcols [search source=mysource.log ProgramVersion=* | fields ProgramVersion]

View solution in original post

Reply
Solved! Jump to solution

blee_i365
Explorer
‎06-08-2011 10:11 AM

Thank you mv. That gets what I need.

0 Karma
Reply
Solved! Jump to solution
Solution

mw
Splunk Employee
Splunk Employee
‎06-08-2011 09:51 AM

Ah, gotcha. Something like this maybe:

source=mysource.log event=* | appendcols [search source=mysource.log ProgramVersion=* | fields ProgramVersion]
Reply
Solved! Jump to solution

blee_i365
Explorer
‎06-08-2011 09:31 AM

Hi mv, thanks for the reply. Unfortunately that post doesn't seem to do what I want, which is when I search for "event 20001" for example (or any event within the same log file) I want it to also include a field called ProgramVersion containing value 10.02.2345.

Another way to put this is there is information of interest at the beginning of my log file, and I want this information to be visible to all events recorded in this log.

Thanks in advance.

0 Karma
Reply
Solved! Jump to solution

mw
Splunk Employee
Splunk Employee
‎06-06-2011 05:47 PM

See if this is what you want: http://splunk-base.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forw...

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top