Getting Data In
Highlighted

Can I alias "host" and "source" fields from incoming logs so they don't interfere with Splunk's built-in fields?

Builder

Splunk inherently has host and source fields to log the host (forwarder) and source (log file) for each event. However, a log source in my environment also has "host" and "source" fields representing completely different pieces of data.

How do I solve this issue? I cannot modify the log source's fields in question. My thought was to alias host/source AS something else, but what kind of effect would that have? Would it solve my issue or would it just change the Splunk host/source AND my log source to the new field alias?

Tags (4)
0 Karma
Highlighted

Re: Can I alias "host" and "source" fields from incoming logs so they don't interfere with Splunk's built-in fields?

SplunkTrust
SplunkTrust

Option 1: Setup field extraction to capture host and source from your log data. May be rename to logginghost loggingsource. Either using props.conf OR props/transforms. See this
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

Option 2: Use SEDCMD (assuming your log contains the host/source as key-value pair) to modify the incoming logs to rename fields in log. See these
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Anonymizedatausingconfigurationfiles
https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html

View solution in original post

Highlighted

Re: Can I alias "host" and "source" fields from incoming logs so they don't interfere with Splunk's built-in fields?

Builder

Thanks. Just to be clear though, with option #1 I'll have the new logginghost and loggingsource fields, but source and host will still have the conflicts?

Also, do you know how aliasing would work? Would it change the actual Splunk source and host fields to something else as well? Example: FIELDALIAS-ASOURCETYPE - aname - host AS logginghost source AS loggingsource

0 Karma
Highlighted

Re: Can I alias "host" and "source" fields from incoming logs so they don't interfere with Splunk's built-in fields?

SplunkTrust
SplunkTrust

Yes, since your logs will still have a key-value pair for host/source, those fields will still exist, but the metadata fields would take precedence so they will not be available as host and source. For field alias as well create an alias for the field having precedence (metadata host/source), so it will not solve any issue. Alias will not change anything but will create a new field with same value, different name.

0 Karma
Highlighted

Re: Can I alias "host" and "source" fields from incoming logs so they don't interfere with Splunk's built-in fields?

Builder

One last thing... currently the source and host fields are turning into mv fields because of the issue at hand. I'm not sure extractions to new fields would help this.

Either way, I'm not worried about that. I mostly just need the fields extracted so I can do splunky things on those new fields without the other metadata field's values in there messing it up.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.