Getting Data In

Can I alias "host" and "source" fields from incoming logs so they don't interfere with Splunk's built-in fields?

thisissplunk
Builder

Splunk inherently has host and source fields to log the host (forwarder) and source (log file) for each event. However, a log source in my environment also has "host" and "source" fields representing completely different pieces of data.

How do I solve this issue? I cannot modify the log source's fields in question. My thought was to alias host/source AS something else, but what kind of effect would that have? Would it solve my issue or would it just change the Splunk host/source AND my log source to the new field alias?

Tags (4)
0 Karma
1 Solution

somesoni2
Revered Legend

Option 1: Setup field extraction to capture host and source from your log data. May be rename to logging_host logging_source. Either using props.conf OR props/transforms. See this
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

Option 2: Use SEDCMD (assuming your log contains the host/source as key-value pair) to modify the incoming logs to rename fields in log. See these
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Anonymizedatausingconfigurationfiles
https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html

View solution in original post

somesoni2
Revered Legend

Option 1: Setup field extraction to capture host and source from your log data. May be rename to logging_host logging_source. Either using props.conf OR props/transforms. See this
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

Option 2: Use SEDCMD (assuming your log contains the host/source as key-value pair) to modify the incoming logs to rename fields in log. See these
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Anonymizedatausingconfigurationfiles
https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html

thisissplunk
Builder

Thanks. Just to be clear though, with option #1 I'll have the new logging_host and logging_source fields, but source and host will still have the conflicts?

Also, do you know how aliasing would work? Would it change the actual Splunk source and host fields to something else as well? Example: FIELDALIAS-ASOURCETYPE - aname - host AS logging_host source AS logging_source

0 Karma

somesoni2
Revered Legend

Yes, since your logs will still have a key-value pair for host/source, those fields will still exist, but the metadata fields would take precedence so they will not be available as host and source. For field alias as well create an alias for the field having precedence (metadata host/source), so it will not solve any issue. Alias will not change anything but will create a new field with same value, different name.

0 Karma

thisissplunk
Builder

One last thing... currently the source and host fields are turning into mv fields because of the issue at hand. I'm not sure extractions to new fields would help this.

Either way, I'm not worried about that. I mostly just need the fields extracted so I can do splunky things on those new fields without the other metadata field's values in there messing it up.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...