Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create search time custom fields

brent_weaver
Builder
‎10-02-2016 06:35 PM

It seems that it is best to create fields at search time as opposed to index time.!?!? I need to make a field named src be copied/renamed to source_ip. We need to do this to simplify our searches and I am sure it is not hard to do.

Thanks!

Tags (1)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎10-02-2016 06:46 PM

Theres a few ways you can do this... Through SPL at search time, or via fields aliases..

In search.. It would look like this..

my search .. | eval source_ip = src | more search

Or you can use rename in SPL..

my search | rename source_ip AS src | more search

Other option would be to use a field alias associated to the specific sourcetype. You can read more about this here : http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields.

Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top