This may seem to be a fairly daft question, but after a fair bit of head-scratching I can't see an obvious answer.
The question is, where did a particular field come from?
The context is that I had a field which I could not alias because it was returned by a lookup. But there is no way to tell what the provenance of any given field as far as I know. So I had to look in all the apps on the system and eventually located it as an automatic lookup. Solution was to create a calculated field with the name I wanted, but that's beside the point.
Is there any way to get Splunk to tell where a particular field came from (app, .conf file) without either digging through everything by Mk1 eyeball, or splunking all your splunk config?
↧