Create additional search fields
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Create additional search fields
Splunk automatically adds search fields such as host, source, source type, event type, etc. You can create your own custom search fields. Once you have created a new search field, it will appear in the Fields drop-down menu in SplunkWeb. You will also be able to search on it, as well, by typing $CUSTOM_FIELD::foo in your search.
Configuration
You can define additional search fields by editing props.conf and transforms.conf.
transforms.conf
Add the following lines to $SPLUNK_HOME/etc/bundles/local/transforms.conf:
[$UNIQUE_STANZA_NAME] REGEX = $YOUR_REGEX FORMAT = $0 $YOUR_CUSTOM_FIELD_NAME::$1 DEST_KEY = _meta
-
$UNIQUE_STANZA_NAME =name your stanza. You will use this name later in configuringprops.conf. -
REGEX =create a regex that will recognize your custom field value. -
FORMAT = $0refers to the event up to the regex; $1 refers to the event from the regex on. This will ensure the correct formatting of your events.- In order to properly display field values containing whitespace in SplunkWeb, you must apply quotes to the FORMAT key.
- FORMAT = $YOUR_CUSTOM_FIELD_NAME::"$1"
-
DEST_KEY =set this to_metato write your field name and value to meta. This is where search fields are stored.
Note: In order to preserve previous matching extractions, you need to include a $0 in the FORMAT key. If you don't include $0, the previously extracted fields will be erased and only the last matching extraction specified in transforms.conf will be kept.
props.conf
Add the following lines to $SPLUNK_HOME/etc/bundles/local/props.conf:
[<spec>] TRANSFORMS-$VALUE = $UNIQUE_STANZA_NAME
<spec> can be:
- <sourcetype>, the sourcetype of an event
- host::<host>, where <host> is the host for an event
- source::<source>, where <source> is the source for an event
$UNIQUE_STANZA_NAME is the name of your stanza from transforms.conf.
$VALUE is any value you want to give to your stanza to identify its name-space.
Example
We are looking for the occurrence of 'device_id=' followed with a word within brackets and a text string terminating with a colon. The source type of the events is testlog.
In $SPLUNK_HOME/etc/bundles/local/transforms.conf add:
[netscreen-error] REGEX = device_id=[^ ]+\s+\[w+\](.*)(? FORMAT = $0 err_code::$1 DEST_KEY = _meta
Add the following lines to $SPLUNK_HOME/etc/bundles/local/props.conf:
[testlog] TRANSFORMS-netscreen = netscreen-error
Comments:
- The
FORMAT =line contains two values:- $1 is the new field written to the index. It is the value in the parenthesis from the regex.
- $0 is the content before the regex. It is necessary to write the original content to preserve the Splunk-supplied indexed fields (e.g. host and source) as well as any fields that may have been extracted in previous transforms.
-
DEST_KEY = _metais an instruction to write the content of FORMAT to the index.
This documentation applies to the following versions of Splunk: 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.