Solved: SEDCMD to change field name

saifuddin9122 · ‎02-07-2017

Hello
i have a log event as
DEBUG 2017.02.06 17:15:35.385: (common.work) Parsed source address, source='10.0.0.2' i want to change the source as src_ip at index time

can any one help me ?

Thanks in advance

somesoni2 · ‎02-07-2017

Try like this (props.conf on Indexer/heavy forwarder)

[YourSourceType]
...other settings..
SEDCMD-srcip = s/,\s+source=/, src_ip=/g

View solution in original post

twinspop · ‎02-07-2017

SEDCMD-source = s/, source=/, src_ip=/

Although I think a better option is to use a field alias. Settings -> Fields -> Field aliases

somesoni2 · ‎02-07-2017

Try like this (props.conf on Indexer/heavy forwarder)

[YourSourceType]
...other settings..
SEDCMD-srcip = s/,\s+source=/, src_ip=/g

SEDCMD to change field name

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation