Hello all,
I am pretty new to Splunk and trying to make sure I am following best practices as much as possible. Trying to make sure we follow CIM compliance for naming our fields when possible. What I am finding a little unclear in this process is; how do I handle same field names across similar technologies? For example - if we have 3 different sets of logs for email, should all fields be named the same across all three technologies? Continuing on the mail example, assuming we have a mail device at the edge, mail device in the DMZ, and then mail device internally. Each of the hops is a different vendor, but the log data and format are pretty similar content wise. When naming fields, is it best practice to name fields the same across all three technologies, or do I only name a specific set of fields the same? For sake of clarity, let's assume that all three have a message_id, source_ip, destination_ip, subject, from, to. Is it best practice to name all those fields identically, or do I prepend them in any way?
Thanks for the help.
Use the same names. If you need to distinguish fields from the various devices, you can use the host or source fields.