Archive
Highlighted

Create search time custom fields

Builder

It seems that it is best to create fields at search time as opposed to index time.!?!? I need to make a field named src be copied/renamed to source_ip. We need to do this to simplify our searches and I am sure it is not hard to do.

Thanks!

Tags (1)
0 Karma
Highlighted

Re: Create search time custom fields

Splunk Employee
Splunk Employee

Theres a few ways you can do this... Through SPL at search time, or via fields aliases..

In search.. It would look like this..

my search .. | eval source_ip = src | more search

Or you can use rename in SPL..

my search | rename source_ip AS src | more search

Other option would be to use a field alias associated to the specific sourcetype. You can read more about this here : http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields.