Add Fields
The Add Fields function allows you to add new fields to your data during the transformation process.
Purpose
The Add Fields function is typically used in pipelines to:
Add static metadata (e.g., environment tags, service names).
Compute new fields based on existing data.
Insert default values or enrich data with contextual information.
This function is useful for enriching data with additional metadata, computed values, or static information.
Usage
Select Add Fields transform. Add Name (required) and Description (optional).
General Configuration:
Bypass Transform: Defaults to disabled. When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications.
Add Filter Conditions: Defaults to disabled. When enabled, it allows events to filter through conditions. Only events that meet the true condition will be processed; all others will bypass this transform. Based on AND/OR conditions, "+Rule" or "+Group" buttons.
Add Fields: Enabled: Defaults to enabled, meaning it does evaluate all events. Toggle Enabled off to prevent event processing to feed data to the downstream Transforms.
Fields to Add Rules: Set of event fields to evaluate and add/set. First field entry (1 rule) key-value pair added by default. Click Add button to add new field as a key-value pair, with the following inputs:
Condition: Specify a condition to add the field only if the condition is met. If no condition is specified, the field will be added to all events.
Field Name to Add: Enter the new field name whose value will be used for extraction.
Field Value to Add: Enter a field value – this can be a String, Number or Boolean.
Examples
Add Simple Field
Scenario: Add a field without conditions.
Add Fields
Toggled On
Fields to Add
n/a
index
network
Result: The field index with value network is added to the log entry.
Add Field with Condition
Scenario: Add the hostname field based on sourceIPAddress condition.
Add Fields
Toggled On
Fields to Add
AND
sourceIPAddress
matches regex
10.10.0.0
hostname
up.com
|
{
"appname":"shaneIxD",
"facility":"uucp",
"message":"Maybe we just shouldn't use computers",
"msgid":"ID701",
"procid":8579,
"severity":"warning",
"sourceIPAddress":"10.10.0.0",
"timestamp":"2025-02-20T15:14:49.093Z",
"version":1
}|
{
"appname":"shaneIxD",
"facility":"uucp",
"hostname":"up.com",
"message":"Maybe we just shouldn't use computers",
"msgid":"ID701",
"procid":8579,
"severity":"warning",
"sourceIPAddress":"10.10.0.0",
"timestamp":"2025-02-20T15:14:49.093Z",
"version":1
}| | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
Results: The field hostname with value up.com is added to the log entry if sourceIPAddress matches the IP Address 10.10.0.0.
Splunkify Logs
Scenario: Splunkify the log entry to ensure that it’s properly accepted by the Splunk Enterprise or Splunk Cloud instance.
Add Fields
Toggled On
Fields to Add
Rule 1
n/a
index
network
Rule 2
AND
palo_alto.log_type
equals
THREAT
sourcetype
pan:threat
Rule 3
AND
palo_alto.log_type
equals
TRAFFIC
sourcetype
pan:traffic
Rule 4
AND
source_ip
matches regex
10.10.0.1
host
fw_syslog-1
Rule 5
n/a
source
pan_logs
Results: All the required fields to Splunkify each log entry that include index, sourcetype (THREAT) or sourcetype (TRAFFIC), host and source are added automatically.
{
"appname":"pan",
"facility":"lpr",
"host":"pan_firewall-1",
"index":"network",
"palo_alto":{
"future_use1":"1",
"log_subtype":"end",
"log_type":"THREAT",
"receive_time":"2025/02/20 16:41:55",
"serial_number":"007051000113358",
"version":"0"
},
"severity":"alert",
"source":"pan_logs",
"source_ip":"10.0.0.1",
"sourcetype":"pan:threat",
"timestamp":"2025-02-20T16:41:55.734Z"
}Best Practices
Use Descriptive Field Names: Choose clear and meaningful names for new fields to improve readability.
Optimize Conditions: Use conditions to add fields only when necessary, reducing unnecessary data bloat.
Test Configurations: Test your AddFields configurations in a development environment before deploying to production.
Related Functions
Remove Fields: Remove unnecessary fields from your data.
Rename Fields: Rename fields to standardize naming conventions.
Filter Data: Apply conditions to filter data before or after adding fields.
Additional Resources
Last updated
Was this helpful?