Re: Is there a solution to handle a field name in ...

anewell · ‎06-24-2015

My raw data includes a field "source=SoftwareSubsystemFoo", a name which overlaps the default 'source' field. In the past, I had the same issue and I dimly recall that the overlapping field was renamed something like '_extracted_source'. As an underscored fieldname it was hidden from the UI unless requested directly with the | fields search command. I can't find the details in my notes, and my search-fu is failing.

Does this remapped field name exist? What is it?

An alternate solution would be to create a transform, but I have a large and variable number of sourcetypes which might have namespace collisions, and I'd prefer an automatic solution, particularly if it were already happening in the background.

Reference: http://answers.splunk.com/answers/26243/source-as-fieldname.html

lguinn2 · ‎06-24-2015

I suggest that you set up a field alias for your source field. If your field name is converted to "extracted_source", you could set up an alias to name it something else - even "Source", although that might be confusing.

Go to Settings -> Fields -> Field Alias. Fill out the form. If you want others to be able to use the alias, be sure to set the permissions. Note that only a Splunk admin can set the permissions to "Global" so that the alias will be available throughout the environment (and you may want this).

sk314 · ‎06-24-2015

FWIW, I use splunk 6.2.2 and had a csv file with a field named source. It got converted to extracted_source. you could simply rename the field in your logs or rename extracted_source to something else using the rename command.

Is there a solution to handle a field name in my data that overlaps with the default "source" field name?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability