In splunk I have a bunch of indexes:
customer01
customer02
customer03
...
Outside of splunk (in real life), each customer has a codename:
customer01 = "alfa"
customer02 = "beta"
customer03 = "gamma"
...
What I'm asking for:
In the left column in Splunk Search I see my usual selected fields; "host", "index", "source", "sourcetype", etc.
Here I want to add the field "codename".
By clicking on "index" I see a list of all indexes ("customer01", "customer02", etc).
Simillarly, I would like to be able to click on "codename" and see list of all codenames ("alfa", "beta", etc) to easily filter out a specific customer without having to know its customer number.
(some of my users searching through all non-internal indexes don't know which customer has what number, but they know the customer's codename)
So is there any way to statically add an anternative name to all incoming data (from my universal forwarders)?
All events logged to to index "customer01" should be tagged with "alfa", everything to index "customer02" with "beta", and so on.
If this tagging/aliasing/whatever is possible to do, I would like to do it in the universal forwarder. If that is not possible I can do it on the indexer.
...resulting in events looking someting like this:
ntpd[945]: synchronized to 10.10.10.10, stratum 2
host=foo index=customer02 source=/var/log/foo sourcetype=bar codename=beta
PS: Using lookup-tables seem a bit excessive for this. I simply want to add a static string into the data the easiest way.
How?
... View more