Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I rename fields based on source?

snorri
Path Finder
‎10-23-2017 04:47 AM

I have data coming in from two different sources wich both contains the same fieldname.
how can I tell them apart in a search.

For example:
source1 have a field named ID and so does source2.
How can I rename the ID from source1 to ID1 and the ID from source2 to ID2?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-23-2017 05:34 AM

HI snorri,
if they are different sourcetype you can set an alias or a calculated field for one of the flows:
[Settings -- Fields -- Field Alias -- New ] setting the alias for that sourcetype.

If you have the same sourcetype you can use the same way using source instead sourcetype.

Bye.
Giuseppe

0 Karma
Reply

cmerriman
Super Champion
‎10-23-2017 05:29 AM

try this:

|eval ID1=if(source="source1",ID,null())
|eval ID2=if(source="source2",ID,null())

you could create an Event Type/Tag for these, so you don't have to keep distinguishing them in each search. Go to Settings>Event types

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Abouteventtypes

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...