Define Search-Time Report Fields
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Define Search-Time Report Fields
If you have custom data that you need to create reports with, but don't need to search on, you can avoid the additional processing and storage of indexing by generating the fields only when you need them. Use ``__internal_report`` as the "sourcetype" in your bundle to tell Splunk to not create these fields until the report is generated.
As an example, start with the social security number extraction from Extract additional meta data (e.g. user, severity) from events page. The bundle configuration (in $SPLUNK_HOME/etc/bundles/local) looks like this:
props.conf
[my_custom_sourcetype] REGEXES-ssn = ssn
regexes.conf
[ssn] # This is the default for [ssn]: REGEX = \[(\d\d\d-\d\d-\d\d\d\d)\] DEST_KEY = _meta FORMAT = $0 ssn::$1
This creates the metadata before being indexed, so you can search on it. But if you only need to show it in report::, there is no reason to have it indexed.
Instead, use __internal_report:
props.conf
[__internal_report] REGEXES-ssn = ssn
regexes.conf
[ssn] # This is the default for [ssn]: REGEX = \[(\d\d\d-\d\d-\d\d\d)\] DEST_KEY = _meta FORMAT = $0 ssn::$1
This documentation applies to the following versions of Splunk: 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.