Splunk Search

reverse mapping from custom fields to host and sourcetype

aoates
Splunk Employee
Splunk Employee

We’re looking for a way to support a number of identical named environments, such as UIT1, UIT2, etc. Each environment is a collection of applications running on a particular set of hosts. Each application is a collection of a certain set of sourcetypes.

What I’d like is to be able to independently define the source types generated for a particular application, and give it a name. The name is just the mapping of sourcetypes generated by a particular application. Separately, we’d like to give a name to an environment, which would be a collection of hosts. So when we’re done we’d be able to say:

app=”my_app_1” environment=”UIT1”

And that would translate in splunk terms to something like:

Host=”foo” and sourcetype=”type1” or sourcetype=”thype2” or ....

When we’re done, because we’ve separated the app definition out, when we later change the sourcetypes for an application, we’ll be able to make that change in one place. If we were merely to give the above search a name, we’d have many hundreds of cloned full queries, and changing the sourcetypes for one application would require manually updating every cloned and named query.

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Create two automatic lookups, to map from "host" to "environment", and from "sourcetype" to "app" respectively.

LOOKUP-env = host_env host OUTPUT environment
LOOKUP-app = st_app sourcetype OUTPUT app

with lookup files containing at least these columns:

host,environment
foo,"UIT1"
bar,"PROD"
baz,"PROD"

and

"sourcetype","app"
type1,"my_app_1"
"thype2","my_app1"
type3,"another_app"

etc. With an automatic lookup, the reverse mapping on search will work exactly as you have asked.

View solution in original post

rotten
Communicator

We assign environments like that in the host value rather than sourcetype. Since our log files are the same in the different environments, we don't really want to have to re-do field definitions for every environment (every new sourcetype).

We do this for appservers, databases, webservers, and more.

"host" is really an abstract concept in the age of virtual servers and cloud computing after all...

--

So in the inputs.conf we have:

[monitor]...

host=myserver1_myenvironment1

and for another one:

host=myserver1_myenvironment2

and another

host=myserver2_myenvironment1

etc...

Users can then search on:

host=myserver*_myenvironment1 or host=myserver1_myenvironment*

or some combination.

You could extend this to:

host=myserver1_myapp1_myenv1

0 Karma

Lowell
Super Champion

I think you could do this with tags or lookups. There are pros and cons to either approach. Here are a few things to consider: Lookups would require editing of a csv file when new environments/apps are added. Lookups are generally faster and can be made to work in a date-effective way. Tags are individual objects in 4.1, and therefore can be assigned to a specific user or shared across role (which will probably just get in the way for you).

Gkanapathy just posted an example using lookups, ...

Using tags, you search would look like:

tag::sourcetype="my_app_1" tag::host="UIT1"
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Create two automatic lookups, to map from "host" to "environment", and from "sourcetype" to "app" respectively.

LOOKUP-env = host_env host OUTPUT environment
LOOKUP-app = st_app sourcetype OUTPUT app

with lookup files containing at least these columns:

host,environment
foo,"UIT1"
bar,"PROD"
baz,"PROD"

and

"sourcetype","app"
type1,"my_app_1"
"thype2","my_app1"
type3,"another_app"

etc. With an automatic lookup, the reverse mapping on search will work exactly as you have asked.

gkanapathy
Splunk Employee
Splunk Employee

You could also use tags and they will work similarly, but the syntax isn't as pretty. They are easier to maintain in the GUI however, vs lookups tables.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...