https://community.splunk.com/t5/Getting-Data-In/Can-you-rename-fields-that-were-automatically-extracted-with-KV/m-p/251498#M48417 <P>If I have Key-Value pair events and fields that are automatically extracted with <CODE>KV_MODE=auto</CODE> in props.conf, can I apply a field transformation to an extracted field? </P> <P>For example, I have a field UserName that appears in the raw events like (e.g., ... UserName="ryan" ...). I want a field <STRONG>user</STRONG> to appear at search-time, but I don't want to use and EVAL- or a FIELDALIAS- clause in props.conf, because I don't to overload the server and how it looks for fields (see <A href="https://splunkbase.splunk.com/app/2871/">https://splunkbase.splunk.com/app/2871/</A> and explanation about how litsearch works). </P> <P>I have tried using this in props.conf</P> <PRE><CODE>[my_src_type] KV_MODE = auto REPORT-extractions = RenameUser,ExtractSessionType </CODE></PRE> <P>And the following in transforms.conf</P> <PRE><CODE>[RenameUser] SOURCE_KEY = UserName REGEX = (.+) FORMAT = user::"$1" [ExtractSessionType] REGEX = SessionName="(?&lt;SessionType&gt;\w+(-\w+)*)\S*" </CODE></PRE> <P>The "SessionType" field extractions from the "SessionName" field are successful, but the "UserName" field is never renamed to "user".</P> <P>Is this possible with the Key-Value extractions being applied first?</P> <P>I have looked in the job inspector and found no mention of errors or issues.</P> Mon, 16 May 2016 22:39:43 GMT rjthibod 2016-05-16T22:39:43Z https://community.splunk.com/t5/Getting-Data-In/Can-you-rename-fields-that-were-automatically-extracted-with-KV/m-p/251498#M48417 <P>If I have Key-Value pair events and fields that are automatically extracted with <CODE>KV_MODE=auto</CODE> in props.conf, can I apply a field transformation to an extracted field? </P> <P>For example, I have a field UserName that appears in the raw events like (e.g., ... UserName="ryan" ...). I want a field <STRONG>user</STRONG> to appear at search-time, but I don't want to use and EVAL- or a FIELDALIAS- clause in props.conf, because I don't to overload the server and how it looks for fields (see <A href="https://splunkbase.splunk.com/app/2871/">https://splunkbase.splunk.com/app/2871/</A> and explanation about how litsearch works). </P> <P>I have tried using this in props.conf</P> <PRE><CODE>[my_src_type] KV_MODE = auto REPORT-extractions = RenameUser,ExtractSessionType </CODE></PRE> <P>And the following in transforms.conf</P> <PRE><CODE>[RenameUser] SOURCE_KEY = UserName REGEX = (.+) FORMAT = user::"$1" [ExtractSessionType] REGEX = SessionName="(?&lt;SessionType&gt;\w+(-\w+)*)\S*" </CODE></PRE> <P>The "SessionType" field extractions from the "SessionName" field are successful, but the "UserName" field is never renamed to "user".</P> <P>Is this possible with the Key-Value extractions being applied first?</P> <P>I have looked in the job inspector and found no mention of errors or issues.</P> Mon, 16 May 2016 22:39:43 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-rename-fields-that-were-automatically-extracted-with-KV/m-p/251498#M48417 rjthibod 2016-05-16T22:39:43Z https://community.splunk.com/t5/Getting-Data-In/Can-you-rename-fields-that-were-automatically-extracted-with-KV/m-p/251499#M48418 <P>My own experimenting seems to say that using "EXTRACT-" clauses won't work either. I am guessing this has to do with the use of KV_MODE being set to "auto". I am probably abandoning it for now, but would welcome any response from someone that can give a definitive answer.</P> Tue, 17 May 2016 01:50:17 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-rename-fields-that-were-automatically-extracted-with-KV/m-p/251499#M48418 rjthibod 2016-05-17T01:50:17Z https://community.splunk.com/t5/Getting-Data-In/Can-you-rename-fields-that-were-automatically-extracted-with-KV/m-p/251500#M48419 <P>The only way to do what you are asking (and I would not do it) is to change it in the raw event using <CODE>SEDCMD</CODE>. Check it out here:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles</A></P> <P>IMHO, the proper policy should be that it is OK to have one alias per field but ONLY one (preferably none). The exploding litsearch is a problem but Splunk is aggressively working on it and it isn't (usually) as bad as it seems (except for with ES).</P> Sun, 29 May 2016 14:13:05 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-rename-fields-that-were-automatically-extracted-with-KV/m-p/251500#M48419 woodcock 2016-05-29T14:13:05Z