topic Re: Applying many field aliases to many sourcetypes in Knowledge Management

Applying many field aliases to many sourcetypes

brajaram — Fri, 23 Mar 2018 20:53:11 GMT

I'm trying to find a way to create multiple field aliases across many sourcetypes. Much of our data being fed into splunk is done through JSON format, so field names are entire paths - something.something.moreannoyingthings. While it doesn't directly affect querying, I wanted to set up multiple field aliases to make our users lives easier.

However, we have a variety of sourcetypes that, while containing similar JSON data, are split for good reasons. As a result, any field alias I create would have to be duplicated many times, and I want to create many. In addition, any time we create a new sourcetype, I would need to retread the same work.

Is there a way to apply some sort of regex to sourcetypes to be able to apply a given field alias across many sourcetypes? Even something simple like *-prod.

Re: Applying many field aliases to many sourcetypes

Azeemering — Fri, 23 Mar 2018 21:34:41 GMT

Yes, you can do this by adding regex to a stanza. (NOT SUPPORTED I believe)

I’ve seen an example like this;

Let’s say you have 3 sourcetypes

acme:users
acme:logins
acme:sessions

Stanza [acme:] will NOT work.
But regexed stanza [(?::){0}acme:] WILL work.

I have not tested this myself...

Re: Applying many field aliases to many sourcetypes

brajaram — Fri, 23 Mar 2018 21:36:54 GMT

I assume this needs to be defined in props.conf? We use splunk web so I assume I can't do this through the web UI?

Re: Applying many field aliases to many sourcetypes

ddrillic — Sat, 24 Mar 2018 22:05:51 GMT

We had a similar thread at How can we apply TRUNCATE across many sourcetypes?