Hi,
I need to add extra field at index time.
The field is "Name of DEV/QA/Prod environment", which never changes during its hosts life-cycle.
What would be the best way to do that?
I don't want to do that at search time, because
it is something that needs to be for all sources.
it is static
According to Splunk Doc, its not recommended:
Caution: Do not add custom fields to the set of default fields that Splunk software automatically extracts and indexes at index time unless absolutely necessary.
Please, advise if there are any ideas.
Thanks.
... View more