Solved: source as fieldname

BryantD · ‎06-14-2011

Some of the logs I'm tracking use source as a fieldname within the log. E.g.:

2011-06-14 17:17:48.028 s=10 source=7592 source_type=2 target=7589 target_type=2

I can probably arrange to have this changed if necessary, but is there any reasonable workaround using field transforms or aliases? I tried adding a simple alias via the manager (source=gsource) but no luck there.

southeringtonp · ‎06-14-2011

The simplest approach is to create a separate transform and use a different field name.

For example:

#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1

#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource

View solution in original post

southeringtonp · ‎06-14-2011

The simplest approach is to create a separate transform and use a different field name.

For example:

#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1

#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource

BryantD · ‎06-14-2011

Works like a charm -- thanks!

source as fieldname

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

source as fieldname

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...