topic Re: Is it possible to create a field alias by event type? in Getting Data In

Is it possible to create a field alias by event type?

noybin — Mon, 30 May 2016 14:53:06 GMT

I need to create a field aliase by event type. I saw that it is possible to reference an eventtype from the props.conf:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Propsconf
I am running Splunk 6.3.1

I've tried the following without success:

props.conf

[eventtype::opsec_vpn_bachata]
FIELDALIAS-user_for_opsec_vpn_bachata           = user_dn as user
FIELDALIAS-user_for_opsec_vpn_bachata_cust           = user_dn as user_cust
LOOKUP-action_for_opsec_bachata       = te_action_lookup te_action OUTPUT action

eventtypes.conf

[opsec_vpn_bachata]
search = index="opsec-lea-cust" orig=bachata event_type=Login
#tags = vpn authentication*

Thank you very much.

Re: Is it possible to create a field alias by event type?

woodcock — Mon, 30 May 2016 17:15:16 GMT

I would open a support case. That "feature" is documented only in v6.3.0 and v6.3.1 of props.conf but disappears from v6.3.2 documentation versions and later. I can find no mention of the feature being added or deleted in any of the v6.* release notes. Did this ever work? What is the story? Only splunk can say.

Re: Is it possible to create a field alias by event type?

noybin — Mon, 30 May 2016 21:03:03 GMT

Thanks for your answer.

I am opening the case.
In the meantime, do you know a way to achieve what I am trying to do?

Thank's again.

Re: Is it possible to create a field alias by event type?

woodcock — Tue, 31 May 2016 00:44:16 GMT

You should be able to do something like this in props.conf instead:

[YourSourcetypeHere]
EVAL-user = if((eventtype=opsec_vpn_bachata)), user_dn, null())

Re: Is it possible to create a field alias by event type?

pinVie — Mon, 27 Jun 2016 10:34:55 GMT

Hi,

I worked on the very similar problem right now but I had a to match on a mv field.

So i used something like this:

EVAL-action = if(mvfind(eventtype,"usp_nac-state_change")=1, "modified", null())

Maybe it helps someone in the future 🙂

Re: Is it possible to create a field alias by event type?

woodcock — Mon, 27 Jun 2016 12:52:05 GMT

See my answer. It works.

Re: Is it possible to create a field alias by event type?

sideview — Wed, 14 Feb 2018 00:26:04 GMT

This shouldn't work, because the calculated fields are made well before the typer even runs.

Typer and thus eventtypes, don't exist until after all the other props.conf stuff is done -- extractions, Aliases, calculated fields and lookups.