topic Re: Extract events for a specific EventCode from sourcetype=WinEventLog:Security and alias Account_Name to myAlias in Knowledge Management

Extract events for a specific EventCode from sourcetype=WinEventLog:Security and alias Account_Name to myAlias

rbhatia — Thu, 27 Jun 2013 18:49:56 GMT

I want to alias Account_Name field for specific EventCode

e.g. EventCode=1234

I want to find that event and alias Account_Name field of that event to lets say myAlias. These events are already in the index so I would like to extract them. Any suggestions how?

Re: Extract events for a specific EventCode from sourcetype=WinEventLog:Security and alias Account_Name to myAlias

lguinn2 — Thu, 27 Jun 2013 20:36:54 GMT

You can't create a field alias that only operates when certain conditions are met.

However, you could do a number of things that might accomplish what you want... what are you trying to accomplish?

You could just rename the field whenever you use it in the context of EventCode=1234:

eventCode=1234 | rename Account_Name as myAlias

You could do the following as well

yoursearchhere
| eval myAlias=if(eventCode=="1234",Account_Name,null())

The above eval statement only creates the myAlias field when the eventCode is 1234. You could even put the eval statement in a macro, so you wouldn't have to type it...

yoursearchhere | `setAlias`

Re: Extract events for a specific EventCode from sourcetype=WinEventLog:Security and alias Account_Name to myAlias

rbhatia — Fri, 28 Jun 2013 00:11:44 GMT

Thanks a lot. But I would like to do this through props.conf and transforms.conf?

Re: Extract events for a specific EventCode from sourcetype=WinEventLog:Security and alias Account_Name to myAlias

lguinn2 — Fri, 28 Jun 2013 02:39:58 GMT

You could set the field alias in props.conf, but you can't do it for only EventCode=1234.
That is, unless you want to assign that EventCode to a completely different sourcetype.
You could put this in props.conf

[thesourcetypehere] FIELDALIAS = Account_Name AS myAlias

but that would create the myAlias field for all events in the sourcetype, not just those with EventCode=1234

Re: Extract events for a specific EventCode from sourcetype=WinEventLog:Security and alias Account_Name to myAlias

rbhatia — Fri, 28 Jun 2013 16:48:57 GMT

Hi lguinn,

Thanks for your answer. I tried FIELDALIAS already but as you mentioned, it created Alias for all the events. But I was able to find the solution. Rather that creating an alias, I created an Extraction result with multiline regex

EXTRACT-test = (?ms)EventCode=1234.*Group:[\r\n]+(?:\t[^\r\n]+[\r\n]+)\t+Account\sName:\s+(?[^\r\n]+)

This worked for me. I found this in one of the threads in splunk-base. Thanks again for your reply.

Re: Extract events for a specific EventCode from sourcetype=WinEventLog:Security and alias Account_Name to myAlias

rbhatia — Fri, 28 Jun 2013 16:53:17 GMT

BTW just realized after posting the message all the r and n should be back slash \r and backslash \n.