I have adding a custom field/value to a log event within splunk @index time. This also includes a DEFAULT_VALUE if the match fails. Here are examples of my config:
tranforms.conf
[app_name]
REGEX = \"app_name\":\".+?(\w+)-(\w)-.+?\"
FORMAT = app::$1$2
DEFAULT_VALUE = app::"not_specified"
WRITE_META = true
fields.conf
[app]
INDEXED=true
Everything works except the default value is not searchable. Under interesting fields in the splunk UI I can see app -> "not_specified" as a value with an event count, however when I click on it, or add it to a search, 0 results are returned. The non-default values return back ok, and are searchable, just the static default value is not. Any help is much appreciated.
... View more