Create search time custom fields


It seems that it is best to create fields at search time as opposed to index time.!?!? I need to make a field named src be copied/renamed to source_ip. We need to do this to simplify our searches and I am sure it is not hard to do.


Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Theres a few ways you can do this... Through SPL at search time, or via fields aliases..

In search.. It would look like this..

my search .. | eval source_ip = src | more search

Or you can use rename in SPL..

my search | rename source_ip AS src | more search

Other option would be to use a field alias associated to the specific sourcetype. You can read more about this here :