topic Field Extraction to Modify Key in Key Value Pair at Search Time in Splunk Search

Field Extraction to Modify Key in Key Value Pair at Search Time

ezajac — Mon, 28 Jul 2014 18:21:44 GMT

How can I create a field extraction to modify a key in a key value pair? I have a new file that I am indexing. The key is using "source" and this is conflicting with the built in "source" in Splunk. Making this change when the file is getting indexed will not work in this situation. I am looking to do this at Search Time.

2014-07-23 09:59:56,996 || Thread=9 || channel=CONTACTVIEW || endTimeRaw=1406123991420 || duration=3786 || startTimeRaw=1406123987634 || source=Portfolio || endTime=2014-07-23T13:59:51.420Z

Re: Field Extraction to Modify Key in Key Value Pair at Search Time

strive — Mon, 28 Jul 2014 18:47:35 GMT

One way i can think of is replacing the word source in your logs. Check this

http://answers.splunk.com/answers/71277/character-set-replacement-during-indexing

Re: Field Extraction to Modify Key in Key Value Pair at Search Time

ezajac — Mon, 28 Jul 2014 19:38:29 GMT

Can anything be done at Search Time like a field extraction?

Re: Field Extraction to Modify Key in Key Value Pair at Search Time

somesoni2 — Mon, 28 Jul 2014 19:42:03 GMT

you can extract value "Portfolio" with different field name using rex command or in the props.conf directly.

http://docs.splunk.com/Documentation/Splunk/6.1.2/Knowledge/Addfieldsatsearchtime

Using rex

your base search | rex " source=(?<orig_source>w+)"

you can put the same regex in props.conf.

[YourSourcetype]
...other settings...
EXTRACT-orig_group = (?i) source=(?<orig_source>w+)