<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Renaming Fields in Data in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Renaming-Fields-in-Data/m-p/543368#M90724</link>
    <description>&lt;P&gt;Good Morning,&lt;/P&gt;&lt;P&gt;We are having a bit on an issue with our data "layout". In our wineventlogs we have a field in the XML called Parent Process Name but shows up in our events as Creation Process Name. The issue we are having is our correlation searches are using the Parent Process Name to find certain events so this isn't matching up. I am curious the best way to make sure that Parent Process Name field stays named in this setup and not changed to Creation Process Name. I have attempted to turn on the rendered XML in order to have it come over in this format but to no avail. I have also thought about using transfroms and props.conf but not sure where the switch is taking place.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Field Example:&lt;/P&gt;&lt;P&gt;&lt;SPAN class="t"&gt;Creator&lt;/SPAN&gt; &lt;SPAN class="t"&gt;Process&lt;/SPAN&gt; &lt;SPAN class="t"&gt;Name:&lt;/SPAN&gt; &lt;SPAN class="t"&gt;C:\Program&lt;/SPAN&gt; &lt;SPAN class="t"&gt;Files\SplunkUniversalForwarder\bin\splunkd.exe&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;The way that data is flowing is UF ----&amp;gt; Heavy Forwarder ------&amp;gt; Splunk Cloud&lt;/P&gt;&lt;P&gt;Field example would be:&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;</description>
    <pubDate>Thu, 11 Mar 2021 14:08:36 GMT</pubDate>
    <dc:creator>defikes</dc:creator>
    <dc:date>2021-03-11T14:08:36Z</dc:date>
    <item>
      <title>Renaming Fields in Data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Renaming-Fields-in-Data/m-p/543368#M90724</link>
      <description>&lt;P&gt;Good Morning,&lt;/P&gt;&lt;P&gt;We are having a bit on an issue with our data "layout". In our wineventlogs we have a field in the XML called Parent Process Name but shows up in our events as Creation Process Name. The issue we are having is our correlation searches are using the Parent Process Name to find certain events so this isn't matching up. I am curious the best way to make sure that Parent Process Name field stays named in this setup and not changed to Creation Process Name. I have attempted to turn on the rendered XML in order to have it come over in this format but to no avail. I have also thought about using transfroms and props.conf but not sure where the switch is taking place.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Field Example:&lt;/P&gt;&lt;P&gt;&lt;SPAN class="t"&gt;Creator&lt;/SPAN&gt; &lt;SPAN class="t"&gt;Process&lt;/SPAN&gt; &lt;SPAN class="t"&gt;Name:&lt;/SPAN&gt; &lt;SPAN class="t"&gt;C:\Program&lt;/SPAN&gt; &lt;SPAN class="t"&gt;Files\SplunkUniversalForwarder\bin\splunkd.exe&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;The way that data is flowing is UF ----&amp;gt; Heavy Forwarder ------&amp;gt; Splunk Cloud&lt;/P&gt;&lt;P&gt;Field example would be:&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 11 Mar 2021 14:08:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Renaming-Fields-in-Data/m-p/543368#M90724</guid>
      <dc:creator>defikes</dc:creator>
      <dc:date>2021-03-11T14:08:36Z</dc:date>
    </item>
    <item>
      <title>Re: Renaming Fields in Data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Renaming-Fields-in-Data/m-p/543374#M90725</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229321"&gt;@defikes&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;did you tried to creata an alias on your Search Heads?&lt;/P&gt;&lt;P&gt;for more infos see at&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/Addaliasestofields" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/Addaliasestofields&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Thu, 11 Mar 2021 14:40:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Renaming-Fields-in-Data/m-p/543374#M90725</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2021-03-11T14:40:19Z</dc:date>
    </item>
    <item>
      <title>Re: Renaming Fields in Data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Renaming-Fields-in-Data/m-p/543548#M90745</link>
      <description>&lt;P&gt;Thank you for that insight. This appears to have worked&lt;/P&gt;</description>
      <pubDate>Fri, 12 Mar 2021 14:05:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Renaming-Fields-in-Data/m-p/543548#M90745</guid>
      <dc:creator>defikes</dc:creator>
      <dc:date>2021-03-12T14:05:33Z</dc:date>
    </item>
    <item>
      <title>Re: Renaming Fields in Data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Renaming-Fields-in-Data/m-p/543549#M90746</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229321"&gt;@defikes&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;good for you!&lt;/P&gt;&lt;P&gt;Ciao and happy splunking.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;&lt;P&gt;P.S.: Karma Points are appreciated &lt;span class="lia-unicode-emoji" title=":winking_face:"&gt;😉&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 12 Mar 2021 14:09:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Renaming-Fields-in-Data/m-p/543549#M90746</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2021-03-12T14:09:41Z</dc:date>
    </item>
  </channel>
</rss>

