Solved: Re: source as fieldname

BryantD · ‎06-14-2011

Some of the logs I'm tracking use source as a fieldname within the log. E.g.:

2011-06-14 17:17:48.028 s=10 source=7592 source_type=2 target=7589 target_type=2

I can probably arrange to have this changed if necessary, but is there any reasonable workaround using field transforms or aliases? I tried adding a simple alias via the manager (source=gsource) but no luck there.

southeringtonp · ‎06-14-2011

The simplest approach is to create a separate transform and use a different field name.

For example:

#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1

#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource

View solution in original post

southeringtonp · ‎06-14-2011

The simplest approach is to create a separate transform and use a different field name.

For example:

#transforms.conf
[extract-gsource]
REGEX=source=(\S+)
FORMAT=gsource::$1

#props.conf
[mysourcetype]
REPORT-gsource = extract-gsource

BryantD · ‎06-14-2011

Works like a charm -- thanks!

source as fieldname

Unlock Database Monitoring with Splunk Observability Cloud

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

source as fieldname

Unlock Database Monitoring with Splunk Observability Cloud

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits