https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289511#M3608 <P>I tried but TERM is not working in this scenario as I have events like below:</P> <P>07/31/2013 15:38:18, field1=v1 field2=v2 field3=v3 07/31/2013 15:38:48, field1=v4 <STRONG>source=abcdef</STRONG> field2=v5 field3=v6</P> <P>This will not work as source=abcdef has "=" as it is a minor break from the below reference:<BR /> <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/UseCASEandTERMtomatchphrases">https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/UseCASEandTERMtomatchphrases</A></P> Mon, 09 Oct 2017 10:13:29 GMT prosenjit2707 2017-10-09T10:13:29Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289508#M3605 <P>Unfortunately, I have been indexing the events which have a key named "source" and splunk by default treat the key "source" as the source of the events.</P> <P>Now, when I am trying to retrieve the values from key "source", it is providing me the event source.</P> <P>Is there any way to retrieve the source key values from the events instead event sources(directories) or it is a bug/conflicts!</P> <P>Can anyone help me in this situation, how can I get the values without using regex/rex cmds?</P> Fri, 06 Oct 2017 12:53:08 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289508#M3605 prosenjit2707 2017-10-06T12:53:08Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289509#M3606 <P>You have multiple options I can see</P> <OL> <LI>Use TERM in your search: <CODE>&lt;yourSearch&gt; TERM(source=yoursourcevaluefromevent)</CODE></LI> <LI>Use rex to extract source under a different name: <CODE>| rex "source=(?&lt;mySource&gt;\w+)\s"</CODE></LI> <LI>Do a SEDCMD on ingest to change the field in your events to a different value</LI> </OL> Fri, 06 Oct 2017 17:00:40 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289509#M3606 s2_splunk 2017-10-06T17:00:40Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289510#M3607 <P>@ssievert - Ooooo, I like <CODE>TERM()</CODE>. I haz a new toy! Is Chrissmass!</P> Fri, 06 Oct 2017 21:30:44 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289510#M3607 DalJeanis 2017-10-06T21:30:44Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289511#M3608 <P>I tried but TERM is not working in this scenario as I have events like below:</P> <P>07/31/2013 15:38:18, field1=v1 field2=v2 field3=v3 07/31/2013 15:38:48, field1=v4 <STRONG>source=abcdef</STRONG> field2=v5 field3=v6</P> <P>This will not work as source=abcdef has "=" as it is a minor break from the below reference:<BR /> <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/UseCASEandTERMtomatchphrases">https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/UseCASEandTERMtomatchphrases</A></P> Mon, 09 Oct 2017 10:13:29 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289511#M3608 prosenjit2707 2017-10-09T10:13:29Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289512#M3609 <P>Good point, although - interestingly enough - it works for me (V7). </P> <P>I think your best bet for solving this at search time is to create an inline field extraction for the affected sourcetype(s) that pulls out the values and renames the key. Simply upper-casing the first letter should be least intrusive.<BR /> This allows you to not only search for the values, but also run reporting/statistics.<BR /> Example in props.conf:<BR /> [yoursourcetype]<BR /> EXTRACT-Source = source=(?<SOURCE>[^[\s]+)</SOURCE></P> <P>You can also do it via the UI (Settings-&gt;Fields-&gt;Field Extractions). Make sure it is visible in the appropriate app context (Permissions).</P> <P>Cleanest would be to either change it at the log source or apply a SEDCMD at index time to modify _raw.</P> Mon, 09 Oct 2017 21:16:24 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289512#M3609 s2_splunk 2017-10-09T21:16:24Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289513#M3610 <P>Maybe I am missing it, but is this what you are looking for?</P> <P>source="=abcdef"</P> Mon, 09 Oct 2017 21:27:14 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289513#M3610 blacknight659 2017-10-09T21:27:14Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289514#M3611 <P>Thanks for your response, Yes. I agreed with your option to change at props.conf itself. I tried in the field extractions, I did not got the proper values.</P> <P>Sometime, I have events with <STRONG>source="abcdef"</STRONG> (i.e. values enclosed in inverted comma).</P> Tue, 10 Oct 2017 10:10:47 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289514#M3611 prosenjit2707 2017-10-10T10:10:47Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289515#M3612 <P>Thank you for the response. But I am looking for all the possible values that comes under "source", but not from the default source (i.e. source=/opt/splunk/abc/xyz/log1.txt)</P> Tue, 10 Oct 2017 10:13:51 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289515#M3612 prosenjit2707 2017-10-10T10:13:51Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289516#M3613 <P>This is the optimum way that I can think of, as I do not have admin rights to change the config files.</P> <P>| rex "source=(?P\"?[^,]+)" | eval Source = lower(Source1)|chart count by Source</P> Tue, 10 Oct 2017 10:19:20 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289516#M3613 prosenjit2707 2017-10-10T10:19:20Z https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289517#M3614 <P>Ok, so you have two fields named "source" ?</P> <P>You are trying to search this data? NOT modify it at index time?</P> <P>If you are tying to search against the data, you will need to Eval or Rex it. Ultimately, you need get a little fancy to capture the values there. Ultimately, correcting this at index time is the best solution. </P> <P>If it were me, I would extract everything with the rex below, then search for all sources that do not have \ (since most sources have the \ to the directory of the log). </P> <PRE><CODE>| rex field=source "(?&lt;newSourceName&gt;[\w\W]*)" | search newSourceName!="*\*" </CODE></PRE> Tue, 10 Oct 2017 15:52:15 GMT https://community.splunk.com/t5/Splunk-Dev/Error-with-keyname-conflicting-with-source-Can-I-retrieve-the/m-p/289517#M3614 blacknight659 2017-10-10T15:52:15Z