Change field names of indexed data

JeremyHagan · ‎05-01-2016

Hi,
I've got a particular source type which I would like to modify the field names of so that they are CIM compliant. Eg rename source_ip to src_ip.

The field names are specified in the tranforms.conf. I am assuming that these field extractions are just search time and aren't written into the index. Is this correct? Will the field name change be reflected against data already indexed?

Cheers,
Jeremy.

woodcock · ‎05-02-2016

It depends. If you use REPORT- or EXTRACT- in props.conf, then the referenced extractions inside of transforms.conf happen at search-time, but if you call TRANSFORMS-, then they will happen at index-time. Read all about it here:

http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/propsconf
http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/transformsconf

JeremyHagan · ‎05-02-2016

Good answer. Thanks. We are using REPORT-, so it is all good.

woodcock · ‎05-03-2016

If you are all set then you should click Accept to close the question.

esix_splunk · ‎05-01-2016

Once data is indexed, it is not changeable. You can only transform it ( field alias, extractions, etc) at search time. So you are correct.

Cheers
Eric

Change field names of indexed data

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!