Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create search time custom fields

brent_weaver
Builder
‎10-02-2016 06:35 PM

It seems that it is best to create fields at search time as opposed to index time.!?!? I need to make a field named src be copied/renamed to source_ip. We need to do this to simplify our searches and I am sure it is not hard to do.

Thanks!

Tags (1)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎10-02-2016 06:46 PM

Theres a few ways you can do this... Through SPL at search time, or via fields aliases..

In search.. It would look like this..

my search .. | eval source_ip = src | more search

Or you can use rename in SPL..

my search | rename source_ip AS src | more search

Other option would be to use a field alias associated to the specific sourcetype. You can read more about this here : http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields.

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...