Why the src -> src_ip and dest -> dest_ip mapping?

[w3ttr3y]

Could commit fe41b4a be reverted?

Unfortunately I wasn't able to quickly find any justification for this commit, but I would like to request that it be reverted.

Assumption

My assumption is that src_ip and dest_ip always hold ip addresses

Justification

According to Splunk's Common Information Model (CIM) the Network Traffic model, dest_ip and src_ip should hold the ip address of the destination and source device when available. The src/dest fields should be populated with the src/dest ip, hostname, or mac address depending on what's available in the log. Thus when searching for an ip address, its standard to use src_ip/dest_ip.

While I can account for this in Splunk itself by using a regex to extract src to src_ip (similar for dest) if src/dest appear to be ip addresses, it is less work for the system, to just copy anything in the src_ip field to the src field. Even the documentation suggest src could be aliased from src_ip, src_mac etc (although best practice is not to alias but copy, but that's an advanced Splunk administration topic)

While that may seem like a very small thing (and it is), Splunk does these field extractions at search time. So every time that record is returned in a search result (okay there are exceptions and I'm simplifying), that extraction is done and it has to be done for EVERY search result of this sourcetype (again simplification; typically done by sourcetype but could be done in other ways).

When you consider its more performant on the Splunk side to reverse this change AND it simplifies the code here (quite trivially, but still), I believe this request is justified. Again, there's a huge caveat that I don't know why it was originally added and without that context I may be overlooking other issues.

[d1str0]

I will look into this