Knowledge Management

What are recommendations for field naming conventions to handle the same field names across different technologies?

splunker1981
Path Finder

Hello all,

I am pretty new to Splunk and trying to make sure I am following best practices as much as possible. Trying to make sure we follow CIM compliance for naming our fields when possible. What I am finding a little unclear in this process is; how do I handle same field names across similar technologies? For example - if we have 3 different sets of logs for email, should all fields be named the same across all three technologies? Continuing on the mail example, assuming we have a mail device at the edge, mail device in the DMZ, and then mail device internally. Each of the hops is a different vendor, but the log data and format are pretty similar content wise. When naming fields, is it best practice to name fields the same across all three technologies, or do I only name a specific set of fields the same? For sake of clarity, let's assume that all three have a message_id, source_ip, destination_ip, subject, from, to. Is it best practice to name all those fields identically, or do I prepend them in any way?

Thanks for the help.

richgalloway
SplunkTrust
SplunkTrust

Use the same names. If you need to distinguish fields from the various devices, you can use the host or source fields.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!