Is there a solution to handle a field name in my d...

anewell · ‎06-24-2015

My raw data includes a field "source=SoftwareSubsystemFoo", a name which overlaps the default 'source' field. In the past, I had the same issue and I dimly recall that the overlapping field was renamed something like '_extracted_source'. As an underscored fieldname it was hidden from the UI unless requested directly with the | fields search command. I can't find the details in my notes, and my search-fu is failing.

Does this remapped field name exist? What is it?

An alternate solution would be to create a transform, but I have a large and variable number of sourcetypes which might have namespace collisions, and I'd prefer an automatic solution, particularly if it were already happening in the background.

Reference: http://answers.splunk.com/answers/26243/source-as-fieldname.html

lguinn2 · ‎06-24-2015

I suggest that you set up a field alias for your source field. If your field name is converted to "extracted_source", you could set up an alias to name it something else - even "Source", although that might be confusing.

Go to Settings -> Fields -> Field Alias. Fill out the form. If you want others to be able to use the alias, be sure to set the permissions. Note that only a Splunk admin can set the permissions to "Global" so that the alias will be available throughout the environment (and you may want this).

sk314 · ‎06-24-2015

FWIW, I use splunk 6.2.2 and had a csv file with a field named source. It got converted to extracted_source. you could simply rename the field in your logs or rename extracted_source to something else using the rename command.

Is there a solution to handle a field name in my data that overlaps with the default "source" field name?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases