Here is my situation (and I know it isn't ideal, but I have to work with it for now)
I have scripts that pre-process log files to a standard format that Splunk digests. The format isn't really that important here, but the problem is that I have to add two more fields to this file that is created.
How do I handle this change in the format of my input file with the setup that I currently have?
I want the old data to remain unchanged and also perhaps add a default value for the 2 new fields ?
followTail = 0
sourcetype = psv
host_regex = ([^/.]+).
index = test-index
REPORT-PSV = psv-delim
pulldown_type = 1
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
DELIMS = "|"
FIELDS = server,service,date,type,requestId,class,message
So essentially my new input file would have server,service,date,type,requestId,class,message,user,id
... View more