Hi,
I am trying to configure some index-time field extractions on a SplunkForwarder, so that I can tag all events from the Forwarder with a couple of additional fields.
It is impractical to try to do this at search-time.
I have tried adding the following files to the forwarder, in an attempt to follow the documentation:
[default]
TRANSFORMS-role = xxx-role
TRANSFORMS-environment = xxx-environment
[xxx-environment]
DEFAULT_VALUE = common
FORMAT = environment::"common"
WRITE_META = true
[xxx-role]
DEFAULT_VALUE = client
FORMAT = role::"client"
WRITE_META = true
[role]
INDEXED=true
INDEXED_VALUE=false
[environment]
INDEXED=true
INDEXED_VALUE=false
N.B. The config files look "normal" however I can't manage to format the question.
The only change made to the indexing server has been to add the same fields.conf file.
Having restarted both the forwarder and indexer, I am still unable to search on either "role" or "environment".
(I am trying to search with environment="common" for example.)
Any advice/solution would be greatly appreciated.
Thanks,
mgh
To answer my own question: adding a regex that matched everything to the transforms.conf has it now working... though I'm sure there must be a better way to do this.