Databases Reference
In-Depth Information
Other common search time attributes include:
•
REPORT-foo = bar
: This attribute is a way to reference stanzas in
transforms.conf
but apply them at search time instead of index time.
This approach predates
EXTRACT
and is still useful for a few special cases.
We will cover this case later under the
transforms.conf
section.
•
KV_MODE = auto
: This attribute allows you to specify whether Splunk
should automatically extract fields in the form
key=value
from events.
The default value is
auto
. The most common change is to disable automatic
field extraction for performance reasons by setting the value to
none
. Other
possibilities are
multi
,
json
, and
xml
.
•
LOOKUP-foo = mylookup barfield
: This attribute lets you wire up a lookup
to automatically run for some set of events. The lookup itself is defined in
transforms.conf
.
Index-time attributes
As discussed in
Chapter 3
,
Indexed fields versus extracted fields
, it is possible to add
fields to the metadata of events. This is accomplished by specifying a transform
in
transforms.conf
, and an attribute in
props.conf
, to tie the transformation
to specific events.
The attribute in
props.conf
looks like this:
TRANSFORMS-foo = bar1,bar2
.
This attribute references stanzas in
transforms.conf
by name, in this case,
bar1
and
bar2
. These transform stanzas are then applied to the events matched by the
stanza in
props.conf
.
Parse-time attributes
Most of the attributes in
props.conf
actually have to do with parsing events.
To successfully parse events, a few questions need to be answered, such as these:
• When does a new event begin? Are events multiline? Splunk will make fairly
intelligent guesses, but it is best to specify an exact setting. Attributes that
help with this include:
°
SHOULD_LINEMERGE = false
: If you know your events will never
contain the newline character, setting this to
false
will eliminate
a lot of processing.
°
BREAK_ONLY_BEFORE = ^\d\d\d\d-\d\d-\d\d
: If you know that
new events always start with a particular pattern, you can specify
it using this attribute.
Search WWH ::
Custom Search