Create additional search fields

Create additional search fields

Splunk automatically adds search fields such as host, source, source type, event type, etc. You can create your own custom search fields. Once you have created a new search field, it will appear in the Fields drop-down menu in SplunkWeb. You will also be able to search on it, as well, by typing $CUSTOM_FIELD::foo in your search.

Configuration

You can define additional search fields by editing props.conf and transforms.conf.

transforms.conf

Add the following lines to $SPLUNK_HOME/etc/bundles/local/transforms.conf:

[$UNIQUE_STANZA_NAME]
REGEX = $YOUR_REGEX
FORMAT = $0 $YOUR_CUSTOM_FIELD_NAME::$1
DEST_KEY = _meta

• $UNIQUE_STANZA_NAME = name your stanza. You will use this name later in configuring props.conf.
• REGEX = create a regex that will recognize your custom field value.
• FORMAT = $0 refers to the event up to the regex; $1 refers to the event from the regex on. This will ensure the correct formatting of your events.
  • In order to properly display field values containing whitespace in SplunkWeb, you must apply quotes to the FORMAT key.
  • FORMAT = $YOUR_CUSTOM_FIELD_NAME::"$1"
• DEST_KEY = set this to _meta to write your field name and value to meta. This is where search fields are stored.

Note: In order to preserve previous matching extractions, you need to include a $0 in the FORMAT key. If you don't include $0, the previously extracted fields will be erased and only the last matching extraction specified in transforms.conf will be kept.

props.conf

Add the following lines to $SPLUNK_HOME/etc/bundles/local/props.conf:

[<spec>]
TRANSFORMS-$VALUE = $UNIQUE_STANZA_NAME

<spec> can be:

1. <sourcetype>, the sourcetype of an event
2. host::<host>, where <host> is the host for an event
3. source::<source>, where <source> is the source for an event

$UNIQUE_STANZA_NAME is the name of your stanza from transforms.conf.

$VALUE is any value you want to give to your stanza to identify its name-space.

Example

We are looking for the occurrence of 'device_id=' followed with a word within brackets and a text string terminating with a colon. The source type of the events is testlog.

In $SPLUNK_HOME/etc/bundles/local/transforms.conf add:

[netscreen-error]
REGEX =  device_id=[^ ]+\s+\[w+\](.*)(?
FORMAT = $0 err_code::$1
DEST_KEY = _meta 

Add the following lines to $SPLUNK_HOME/etc/bundles/local/props.conf:

[testlog]
TRANSFORMS-netscreen = netscreen-error

Comments:

• The FORMAT = line contains two values:
  • $1 is the new field written to the index. It is the value in the parenthesis from the regex.
  • $0 is the content before the regex. It is necessary to write the original content to preserve the Splunk-supplied indexed fields (e.g. host and source) as well as any fields that may have been extracted in previous transforms.
• DEST_KEY = _meta is an instruction to write the content of FORMAT to the index.