Field Extraction to Modify Key in Key Value Pair a...

ezajac · ‎07-28-2014

How can I create a field extraction to modify a key in a key value pair? I have a new file that I am indexing. The key is using "source" and this is conflicting with the built in "source" in Splunk. Making this change when the file is getting indexed will not work in this situation. I am looking to do this at Search Time.

2014-07-23 09:59:56,996 || Thread=9 || channel=CONTACTVIEW || endTimeRaw=1406123991420 || duration=3786 || startTimeRaw=1406123987634 || source=Portfolio || endTime=2014-07-23T13:59:51.420Z

somesoni2 · ‎07-28-2014

you can extract value "Portfolio" with different field name using rex command or in the props.conf directly.

http://docs.splunk.com/Documentation/Splunk/6.1.2/Knowledge/Addfieldsatsearchtime

Using rex

your base search | rex " source=(?<orig_source>w+)"

you can put the same regex in props.conf.

[YourSourcetype]
...other settings...
EXTRACT-orig_group = (?i) source=(?<orig_source>w+)

strive · ‎07-28-2014

One way i can think of is replacing the word source in your logs. Check this

http://answers.splunk.com/answers/71277/character-set-replacement-during-indexing

ezajac · ‎07-28-2014

Can anything be done at Search Time like a field extraction?

Field Extraction to Modify Key in Key Value Pair at Search Time

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor