Solved: source as fieldname

BryantD · ‎06-14-2011

Some of the logs I'm tracking use source as a fieldname within the log. E.g.:

2011-06-14 17:17:48.028 s=10 source=7592 source_type=2 target=7589 target_type=2

I can probably arrange to have this changed if necessary, but is there any reasonable workaround using field transforms or aliases? I tried adding a simple alias via the manager (source=gsource) but no luck there.

southeringtonp · ‎06-14-2011

The simplest approach is to create a separate transform and use a different field name.

For example:

#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1

#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource

View solution in original post

southeringtonp · ‎06-14-2011

The simplest approach is to create a separate transform and use a different field name.

For example:

#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1

#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource

BryantD · ‎06-14-2011

Works like a charm -- thanks!

source as fieldname

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7