Splunk inherently has host and source fields to log the host (forwarder) and source (log file) for each event. However, a log source in my environment also has "host" and "source" fields representing completely different pieces of data.
How do I solve this issue? I cannot modify the log source's fields in question. My thought was to alias host/source AS something else, but what kind of effect would that have? Would it solve my issue or would it just change the Splunk host/source AND my log source to the new field alias?
Option 1: Setup field extraction to capture host and source from your log data. May be rename to logging_host logging_source. Either using props.conf OR props/transforms. See this
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...
Option 2: Use SEDCMD (assuming your log contains the host/source as key-value pair) to modify the incoming logs to rename fields in log. See these
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Anonymizedatausingconfigurationfiles
https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html
Option 1: Setup field extraction to capture host and source from your log data. May be rename to logging_host logging_source. Either using props.conf OR props/transforms. See this
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...
Option 2: Use SEDCMD (assuming your log contains the host/source as key-value pair) to modify the incoming logs to rename fields in log. See these
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Anonymizedatausingconfigurationfiles
https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html
Thanks. Just to be clear though, with option #1 I'll have the new logging_host and logging_source fields, but source and host will still have the conflicts?
Also, do you know how aliasing would work? Would it change the actual Splunk source and host fields to something else as well? Example: FIELDALIAS-ASOURCETYPE - aname - host AS logging_host source AS logging_source
Yes, since your logs will still have a key-value pair for host/source, those fields will still exist, but the metadata fields would take precedence so they will not be available as host and source. For field alias as well create an alias for the field having precedence (metadata host/source), so it will not solve any issue. Alias will not change anything but will create a new field with same value, different name.
One last thing... currently the source and host fields are turning into mv fields because of the issue at hand. I'm not sure extractions to new fields would help this.
Either way, I'm not worried about that. I mostly just need the fields extracted so I can do splunky things on those new fields without the other metadata field's values in there messing it up.