Splunk Search

Where do fields come from?


This may seem to be a fairly daft question, but after a fair bit of head-scratching I can't see an obvious answer.
The question is, where did a particular field come from?
The context is that I had a field which I could not alias because it was returned by a lookup. But there is no way to tell what the provenance of any given field as far as I know. So I had to look in all the apps on the system and eventually located it as an automatic lookup. Solution was to create a calculated field with the name I wanted, but that's beside the point.

Is there any way to get Splunk to tell where a particular field came from (app, .conf file) without either digging through everything by Mk1 eyeball, or splunking all your splunk config?

0 Karma


Pretty much as I thought then.

It seems to me that if you're using something like git to store your splunk configs--and you should be!--it will be simpler in most cases to assemble an app to splunk your git repo and search your configuration elements that way.

I have actually done this myself years ago but neglected to retain the exact method when I left that engagement. What I do remember is that it involved using only one depth of the repo (i.e. current master versions for all configs) and storing the full path, the conf file path and name, and the specific element which was configured. Keyword searches for any item then showed you what sort of a thing it was, where it was defined and additionally where it was used.

This was also handy for finding out whether you had an existing sourcetype you could use, or whether you had to create a new one. Might seem trivial, but it isn't when you have hundreds or thousands of data sources and sourcetypes in a large enterprise.

Ah well, might need to figure out how to do it all over again!

0 Karma



I think this is answering a similar question.

Hope this helps, Thanks!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...