Looking for the most effective way to "normalize" fields across multiple indexes and sourcetypes.
We have 30+ indexes with that many (or more) sourcetypes. Many of these are for internal applications that I pull data from SQL databases. This has caused issues with trying to search on all indexes for Source or Destination IP. Looking for a way to take this list (only a sample of the fields I have found so far), and to be able to group all Source IP's into a src_ip field. Same with Destination. (I will map each, method of mapping in Splunk is what I am looking for).
Anyone have a suggestion for an effective way to do this, rather than making a very complex search?
field
AdminIPAddress
ClientIP
Client_IP
Client_ip
ComputerIPAddress
Description
DestinationIPAddress
Framed_IP_Address
IP
IpAddress
Local_IP
NAS_IP_Address
NatIP
Nat_ip
Remote_ip
VserverServiceIP
Vserver_ip
X_MS_Forwarded_Client_IP
assigned_ip
c_ip
client_ip
dest_ip
dest_ipv6
dest_translated_ip
dst_ip
ip
nsica_session_client_ip
nsica_session_server_ip
s_ip
server_ip
src_ip
src_ipv6
src_public_ip
src_translated_ip
Thank you,
Brian
↧