To add new fields to any event, we use the out-of-the-box Eval Function. We can either apply a Filter to select the events, or we can use the default
true Filter expression to apply the Function to all incoming events.
Let's see how we add
dc::nyc-42 to all events with
First make sure you have a Route and Pipeline configured to match desired events.
Next, let's add a Eval function to it:
- Next, let's click on + Add Field, add our
dcfield, and click Save.
To confirm, verify that this search returns results:
- You can add more conditions to the filter, if you'd like. For example, to limit the field to only events from hosts that start with
web-01, we can change the filter input as below:
This is a very powerful method to change incoming events in real time. In addition to providing the right context at the right time, users can further benefit substantially by using
tstats for faster analytics.
You can remove fields by listing and/or wildcarding field names. Let's see how we can remove all fields that start with
First, make sure you have a Route and Pipeline configured to match desired events.
Next, let's add a Eval function to it (as above).
Next, in Remove Fields, add
date_*and hit Save.
To confirm, verify that this search:
sourcetype="access_combined" date_minute=* will soon stop returning results. Enjoy a more efficient Splunk!
Updated 11 months ago