Hi,
Here is my situation (and I know it isn't ideal, but I have to work with it for now)
I have scripts that pre-process log files to a standard format that Splunk digests. The format isn't really that important here, but the problem is that I have to add two more fields to this file that is created.
**How do I handle this change in the format of my input file with the setup that I currently have?**
**I want the old data to remain unchanged and also perhaps add a default value for the 2 new fields ?**
**inputs.conf**
[monitor:///var/log/error-monitoring]
followTail = 0
sourcetype = psv
host =
host_regex = ([^/.]+).
index = test-index
**props.conf**
[psv]
REPORT-PSV = psv-delim
pulldown_type = 1
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
**transforms.conf**
[psv-delim]
DELIMS = "|"
FIELDS = server,service,date,type,requestId,class,message
....
So essentially my **new** input file would have **server,service,date,type,requestId,class,message,user,id**
Halp.
↧