I have a set of log events that contain the following Key value pair "source" : "integer".
Therefore, splunk is reporting this field named source as source log. Example:
source (categorical)
Appears in 100% of results
Show only events with this field
Charts
Top values by timeTop values overall
Top 10 values # %
4111 506 50,600%
18324 506 50,600%
4110 412 41,200%
16141 412 41,200%
7641 406 40,600%
10002 50 5,000%
10012 50 5,000%
15152 50 5,000%
10003 32 3,200%
4115 20 2,000%
How can I correct this issue?
Thanks,
Lp
sorry, don't really understand. Does splunk rename your data to a new field name called source_log?
Or does the 'real' source data, e.g. '/var/log/secure' get overwritten with your values?
/k
For the sourcetype which contains these events, you'll want to create a props.conf stanza that uses a regular expression to extract this field, but with a different name. A possible example is below.
[my_sourcetype] EXTRACT-mysource = source\s+\:\s+(?<source_num>\d+)
In this example, that integer would be captured in a field named source_num.
Can you provide some sample log events?
That is the first thing I did but it did not work.
Thanks.