I am wanting to extract a new field from the original **source** field, based on regex matches. I would then like to prepend/append some constant text to the extracted value. I would like to do this using the field transformation and field extraction dialogs in the Splunk web admin (alternatively I can also modify the light forwarder configs).
As an example, if the log file source contains the text "External", I would like to create a new field called "zone" with the value "Zone-External". I can achieve this via splunk search using the **rex** and **eval** commands, like the following:
**Example source:**
`/opt/app/logs/CrowdCounting/cc_ip52_External-20161123.log`
**Dashboard query:**
`sourcetype=crowd_count | rex field=source "(?External|OutsideCorner|Inside|FarSide)" | eval zone="Zone-".zone_extract`
Using the field transformation/extraction admin dialogs, I can extract a field containing the matched text (i.e. zone=External), but I am unable to prepend/append any text to the value. Does anyone know how I can achieve this?
Alternatively, it would be also ok if I can do this via the splunkforwarder configs, however it appears this is not possible on a light forwarder. But I may be wrong?
Note: the data is ingested using a light universal splunkforwarder, and I am not able to modify the configs on the indexer at all.
Thanks,
Allan
↧