Documentation > Splunk > Admin Manual > Define extracted fields in meta events

Admin Manual

 


Getting Started
How Splunk Works
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Granular Access Control
Data Distribution
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

Define extracted fields in meta events

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Define extracted fields in meta events

You can define extracted fields for meta events as well.


Configuration

The instructions for creating extracted fields in meta events are the same as creating extracted fields, with one change: cite the source as meta-event when applying the REPORT-$VALUE in props.conf. Normally, in props.conf, you cite the original source (ex.: source://var/log/dhcplog), but for metaevents, the source is source:meta-event.


There are no differences in the transforms.conf configuration.


props.conf

Add the following lines to $SPLUNK_HOME/etc/bundles/local/props.conf: 


[source::meta-event]
REPORT-$VALUE = $UNIQUE_STANZA_NAME

$UNIQUE_STANZA_NAME is the name of your stanza from props.conf.

$VALUE is any value you want to give to your stanza to identify its name-space.

transforms.conf

Add the following lines to $SPLUNK_HOME/etc/bundles/local/transforms.conf: 


[$UNIQUE_STANZA_NAME]
REGEX = $YOUR_REGEX
FORMAT = $YOUR_CUSTOM_FIELD_NAME::$1

$UNIQUE_STANZA_NAME = name your stanza. You will use this name later in configuring props.conf.

REGEX = create a regex that will recognize your custom field value.

FORMAT = $YOUR_CUSTOM_FIELD_NAME will be the name of your extracted field; $1 is the value specified by the regular expression.

Example

This example shows linking events from DHCP logs together to create a whole transaction stream. These events are placed in the metaevents index (index::metaevents) as directed. This configuration enables users to filter or report on specific information such as mac address, subnet, and client hostname (which is different from the loghost's hostname). The entries below help extract the fields at search time.


In props.conf add: 


[source::meta-event]
REPORT-interop = dhcp-fields

In transforms.conf add: 


[dhcp-fields]
REGEX = (\S+:\S+:\S+:\S+:\S+:\S+) \(([^\)]+)\) via (\d+.\d+)
FORMAT = mac_address::$1 client_hostname::$2 subnet::$3

The result appears in SplunkWeb as: 


         File:30 admin DefineExtractedField-Picture 11.png
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.4/Admin/DefineExtractedFieldsInMetaEvents"

This documentation applies to the following versions of Splunk: 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.