Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help using EXTRACT to capture a custom static value by source

jason_mannering
Engager
‎10-15-2013 08:19 AM

I am trying to find out how to create a custom field that will be available as an index field that I can set as a static value by source type in the prop.conf so that it will be available at search time via the UI . For example:

[source::/temp/weblogic.log]

sourcetype=weblogic-log

EXTRACT-appcomp = "weblogic"

EXTRACT-apptier = "application"

EXTRACT-appname = "e-commerce"

This does not seem to be working and I was hoping you could provide some guidance.

Thanks

Tags (2)
0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎10-15-2013 09:33 AM

Use Calculated Fields:

[source::/temp/weblogic.log]
sourcetype=weblogic-log
EVAL-appcomp = "weblogic"
EVAL-apptier = "application"
EVAL-appname = "e-commerce"
Reply

aelliott
Motivator
‎03-31-2014 07:21 AM

This helped a ton thanks! great for search time extractions.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-15-2013 08:23 AM

Use a TRANSFORMS in props.conf that will call the name of the transformation,
and in transforms.conf, you specify the regex and the value. (it can be a regex always matching)

see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
and http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf

Reply

jason_mannering
Engager
‎10-15-2013 08:56 AM

Is there not a simpler way? It seems to me that if i use the TRANSFORM option then I will have to create a separate TRANSFORM stanza for each of the follow...

app-name::website

app-comp::weblogic

app-domain::commerce

app-tier::application

I need to add these for numerous instances, apps, components, domains tiers, etc. Creating the TRANSFORM stanzas for each will take a considerable effort. I effectively want the to be applied to any log we capture with the values set by source.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...