How to add data to an extracted field?

Question

A client wishes to pull some data from one of their logs into a search-time-extracted field and prefix it with a bit of text.

However, I know that

[transformname]
REGEX = ...
FORMAT = fieldname::$1$2

doesn't work, nor does adding any other text into FORMAT. (It will come out as literally what you typed, not with the value of $1.) Looking at regex sites, it doesn't appear possible to get something into a capture group that doesn't actually exist in the event.

Is there any way to add knowledge by concatenation onto a search-time field with props/transforms, without use of the search commands (such as eval)? Concatenation of two extracted fields perhaps?

Accepted Answer

1

There is not, and if you did, it would not be possible to search for the field values (in current versions, 4.1.6 and down). Note a search like myfieldname=fvalue for a search-time field myfieldname is (by default) converted by Splunk into a search for (myfieldname=fvalue AND fvalue), i.e., Splunk will look for fvalue in the raw event text. The transformations you propose above would make this search fail.

You could do something like create an automatic scripted lookup if you like instead, though it must output to a different field name from the input.

link

answered 27 Jan '11, 03:48

gkanapathy ♦
32.3k●4●8●27
accept rate: 41%

Well you could add it to fields.conf with INDEXED_VALUE=false to stop the search term expansion.

(27 Jan '11, 04:22) Jason

You could, but then searches over that field effectively turn into "grep", and don't use the search index to find the value.

(27 Jan '11, 04:30) gkanapathy ♦

How to add data to an extracted field?

Follow this question

Splunk Resources

Related questions