I setup Splunk DB Connect to pull in log files that are stored in a MS SQL database. The logs have a Source column that is being excluded from the search results, since Connect DB makes you set a source type. I even tried to use a Rex and when testing the regular expression on regexr.com it identifies the regex, but some some reason Splunk is identifying the one that was declared in the Connect DB settings. Does anyone know a workaround for this?
Just rename the source field inside of your SQL
and then rename it back in the post-dbx* part of your SPL
. Cake.
Okay, just look at the SQL. Make sure that it is listing the actual columns...
NOT...
Select * from mydatabase.mytable
YES...
Select fieldname1, fieldname2 fieldname3, source, fieldname5
from mydatabase.mytable
Then change it to ...
Select fieldname1, fieldname2 fieldname3, source AS someothername, fieldname5
from mydatabase.mytable
and the source field should come across under the new name.
Can you provide samples?
The original rows from the DB (or the parts that matter), what displays in an event, and what each of the values should be?
Also, what did you try to do with the rex (like, specifically, even if it's wrong it may help us understand).