Refine your search:

How to add an indexed field in a distributed setup?

0

Hi folks,

I'm trying to add an indexed field to a distributed setup, but I can't seem to get it working. (I'm aware that indexed fields are not typically recommended)

Here's the scenario: I have multiple indexers at different locations. I need to add a field to every message that is processed which includes the site where it came from.

On my search head (which is distributing the confs to the indexers), I have the following:

/opt/splunk/etc/system/local/props.conf:

[syslog]
TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

[add_location]
SOURCE_KEY = location
REGEX = (.*)
FORMAT = location::$1
WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

[location]
INDEXED = true
INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf 

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
location = ny

I found a similar question that I've used as a guide.

Any ideas? Are there any logs/commands that I can use to see why the indexed field isn't getting added to the events?

Thanks.

asked 03 Jan '11, 20:01

infrauser's gravatar image

infrauser
133
accept rate: 100%

edited 03 Jan '11, 22:39

2 Answers:
oldestnewestmost voted
0

I was able to get this working. Here's what my conf files look now:

/opt/splunk/etc/system/local/props.conf:

[syslog]
# TRANSFORMS-location = add_location

/opt/splunk/etc/system/local/transforms.conf

# [add_location]
# SOURCE_KEY = location
# REGEX = (.*)
# FORMAT = location::$1
# WRITE_META = true

/opt/splunk/etc/system/local/fields.conf

# [location]
# INDEXED = true
# INDEXED_VALUE = false

On the indexer I'm testing with, I have the following:

/opt/splunk/etc/apps/search/local/inputs.conf

[tcp://5514]
connection_host = dns
sourcetype = syslog
no_priority_stripping = true
no_appending_timestamp = true
# location = ny
_meta = location::qcy
link

answered 04 Jan '11, 00:24

infrauser's gravatar image

infrauser
133
accept rate: 100%

0

It should be noted that the field splunk_server is included in every event, and this indicates which indexer it came from. You can search or report on this field. If you must have a field by another name and map the splunk_server names to locations, you would be better off using a lookup table to map splunk_server names to location values.

link

answered 04 Jan '11, 00:58

gkanapathy's gravatar image

gkanapathy ♦
26.2k1622
accept rate: 42%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×326
×65

Asked: 03 Jan '11, 20:01

Seen: 858 times

Last updated: 04 Jan '11, 00:58

Related questions

Conf file precedence in a distributed setup?

Adding an Index in Distributed Setup

Distributed Forwarding setup

Distributed Summary Indexing from Search Head

Distributed Summary indexing - Search head and indexer on 4.2

How do you handle Summary Indexing in a distributed environment?

Should summary indexing happen on the distributed searcher or on the indexer(s)?

What is the best way to index data from a distributed location

How do I determine the appropriate timeout value for distributed search

Copyright © 2005-2012 Splunk, Inc. All rights reserved.