My log files:
=============
2011-06-05 05:11:23.234 Program Version 10.02.2345
2011-06-05 05:11:23.239 event 1
2011-06-05 05:11:23.250 event 2
...
...
2011-06-05 10:10:13.150 event 20000
2011-06-05 10:10:13.151 event 20001
=============
I'd like to include a "ProgramVersion" field with value "10.02.2345" in all events contained in the same log file. With field extraction I can easily create this field and assign it the value 10.02.2345. However this field is not associated with subsequent events. Is there a way to achieve this?
Ah, gotcha. Something like this maybe:
source=mysource.log event=* | appendcols [search source=mysource.log ProgramVersion=* | fields ProgramVersion]
Thank you mv. That gets what I need.
Ah, gotcha. Something like this maybe:
source=mysource.log event=* | appendcols [search source=mysource.log ProgramVersion=* | fields ProgramVersion]
Hi mv, thanks for the reply. Unfortunately that post doesn't seem to do what I want, which is when I search for "event 20001" for example (or any event within the same log file) I want it to also include a field called ProgramVersion containing value 10.02.2345.
Another way to put this is there is information of interest at the beginning of my log file, and I want this information to be visible to all events recorded in this log.
Thanks in advance.
See if this is what you want: http://splunk-base.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forw...