Add Fields

The Add Fields function allows you to add new fields to your data during the transformation process.

Purpose

The Add Fields function is typically used in pipelines to:

• Add static metadata (e.g., environment tags, service names).

• Compute new fields based on existing data.

• Insert default values or enrich data with contextual information.

This function is useful for enriching data with additional metadata, computed values, or static information.

Usage

Select Add Fields transform. Add Name (required) and Description (optional).

General Configuration:

• Bypass Transform: Defaults to disabled. When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications.

• Add Filter Conditions: Defaults to disabled. When enabled, it allows events to filter through conditions. Only events that meet the true condition will be processed; all others will bypass this transform. Based on AND/OR conditions, "+Rule" or "+Group" buttons.

Add Fields: Enabled: Defaults to enabled, meaning it does evaluate all events. Toggle Enabled off to prevent event processing to feed data to the downstream Transforms.

Fields to Add Rules: Set of event fields to evaluate and add/set. First field entry (1 rule) key-value pair added by default. Click Add button to add new field as a key-value pair, with the following inputs:

• Condition: Specify a condition to add the field only if the condition is met. If no condition is specified, the field will be added to all events.

• Field Name to Add: Enter the new field name whose value will be used for extraction.

• Field Value to Add: Enter a field value – this can be a String, Number or Boolean.

Examples

Add Simple Field

Scenario: Add a field without conditions.

Add Fields

Fields to Add

Result: The field index with value network is added to the log entry.

Add Field with Condition

Scenario: Add the hostname field based on sourceIPAddress condition.

Add Fields

Fields to Add

|

|

| | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |

Results: The field hostname with value up.com is added to the log entry if sourceIPAddress matches the IP Address 10.10.0.0.

Splunkify Logs

Scenario: Splunkify the log entry to ensure that it’s properly accepted by the Splunk Enterprise or Splunk Cloud instance.

Add Fields

Fields to Add

• Rule 1

• Rule 2

• Rule 3

• Rule 4

• Rule 5

Results: All the required fields to Splunkify each log entry that include index, sourcetype (THREAT) or sourcetype (TRAFFIC), host and source are added automatically.

Best Practices

1. Use Descriptive Field Names: Choose clear and meaningful names for new fields to improve readability.

2. Optimize Conditions: Use conditions to add fields only when necessary, reducing unnecessary data bloat.

3. Test Configurations: Test your AddFields configurations in a development environment before deploying to production.

Related Functions

• Remove Fields: Remove unnecessary fields from your data.

• Rename Fields: Rename fields to standardize naming conventions.

• Filter Data: Apply conditions to filter data before or after adding fields.

Additional Resources

• Observo AI Transformation Functions Overview

• Best Practices for Data Enrichment