Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a solution to handle a field name in my data that overlaps with the default "source" field name?

anewell
Path Finder
‎06-24-2015 11:35 AM

My raw data includes a field "source=SoftwareSubsystemFoo", a name which overlaps the default 'source' field. In the past, I had the same issue and I dimly recall that the overlapping field was renamed something like '_extracted_source'. As an underscored fieldname it was hidden from the UI unless requested directly with the | fields search command. I can't find the details in my notes, and my search-fu is failing.

Does this remapped field name exist? What is it?

An alternate solution would be to create a transform, but I have a large and variable number of sourcetypes which might have namespace collisions, and I'd prefer an automatic solution, particularly if it were already happening in the background.

Reference: http://answers.splunk.com/answers/26243/source-as-fieldname.html

0 Karma
Reply

lguinn2
Legend
‎06-24-2015 01:09 PM

I suggest that you set up a field alias for your source field. If your field name is converted to "extracted_source", you could set up an alias to name it something else - even "Source", although that might be confusing.

Go to Settings -> Fields -> Field Alias. Fill out the form. If you want others to be able to use the alias, be sure to set the permissions. Note that only a Splunk admin can set the permissions to "Global" so that the alias will be available throughout the environment (and you may want this).

0 Karma
Reply

sk314
Builder
‎06-24-2015 11:46 AM

FWIW, I use splunk 6.2.2 and had a csv file with a field named source. It got converted to extracted_source. you could simply rename the field in your logs or rename extracted_source to something else using the rename command.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...