My raw data includes a field "source=SoftwareSubsystemFoo"
, a name which overlaps the default 'source'
field. In the past, I had the same issue and I dimly recall that the overlapping field was renamed something like '_extracted_source'
. As an underscored fieldname it was hidden from the UI unless requested directly with the | fields
search command. I can't find the details in my notes, and my search-fu is failing.
Does this remapped field name exist? What is it?
An alternate solution would be to create a transform, but I have a large and variable number of sourcetypes which might have namespace collisions, and I'd prefer an automatic solution, particularly if it were already happening in the background.
Reference: http://answers.splunk.com/answers/26243/source-as-fieldname.html
I suggest that you set up a field alias for your source field. If your field name is converted to "extracted_source", you could set up an alias to name it something else - even "Source", although that might be confusing.
Go to Settings -> Fields -> Field Alias. Fill out the form. If you want others to be able to use the alias, be sure to set the permissions. Note that only a Splunk admin can set the permissions to "Global" so that the alias will be available throughout the environment (and you may want this).
FWIW, I use splunk 6.2.2 and had a csv file with a field named source. It got converted to extracted_source. you could simply rename the field in your logs or rename extracted_source to something else using the rename command.