Solved: source as fieldname

BryantD · ‎06-14-2011

Some of the logs I'm tracking use source as a fieldname within the log. E.g.:

2011-06-14 17:17:48.028 s=10 source=7592 source_type=2 target=7589 target_type=2

I can probably arrange to have this changed if necessary, but is there any reasonable workaround using field transforms or aliases? I tried adding a simple alias via the manager (source=gsource) but no luck there.

southeringtonp · ‎06-14-2011

The simplest approach is to create a separate transform and use a different field name.

For example:

#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1

#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource

View solution in original post

southeringtonp · ‎06-14-2011

The simplest approach is to create a separate transform and use a different field name.

For example:

#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1

#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource

BryantD · ‎06-14-2011

Works like a charm -- thanks!

source as fieldname

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation