https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502323#M8872 <P>I am extracting the src and user values from failed login attempts in Shibboleth logs and the value is "failed" so I can set an event type for failed Shib login attempts.</P> <P>When I check the CIM documentation for fields for Authentication event datasets, I see the value ES expects is "failure".</P> <P>How do I create an alias for the field action so that "failed" is set to "failure" so ES can then leverage it?</P> <P>Thx </P> Fri, 06 Dec 2019 16:57:17 GMT jwalzerpitt 2019-12-06T16:57:17Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502323#M8872 <P>I am extracting the src and user values from failed login attempts in Shibboleth logs and the value is "failed" so I can set an event type for failed Shib login attempts.</P> <P>When I check the CIM documentation for fields for Authentication event datasets, I see the value ES expects is "failure".</P> <P>How do I create an alias for the field action so that "failed" is set to "failure" so ES can then leverage it?</P> <P>Thx </P> Fri, 06 Dec 2019 16:57:17 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502323#M8872 jwalzerpitt 2019-12-06T16:57:17Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502324#M8873 <P>Actually digging through Splunk Answers saw a way to use sedcmd and was wondering if this would be a way to handle the issue:</P> <PRE><CODE>index=foo sourcetype="shibboleth:process" "Login by*" failed | rex mode=sed field=_raw "s/failed/failure/g" | rex field=_raw "-\s\[(?P&lt;src&gt;(?:[0-9]{1,3}\.){3}[0-9]{1,3}).*:\sLogin\sby\s'(?P&lt;user&gt;.*)'\s(?P&lt;action&gt;failure)" </CODE></PRE> <P>Running this extracts all three fields with correct values. If this looks good, could I then create an event type with this search for failed Shib login attempts?</P> <P>Thx</P> Fri, 06 Dec 2019 17:17:48 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502324#M8873 jwalzerpitt 2019-12-06T17:17:48Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502325#M8874 <P>Would a field alias do the trick? <A href="https://docs.splunk.com/Documentation/CIM/4.14.0/User/UsetheCIMtonormalizeCPUperformancemetrics#Step_5._Make_fields_CIM-compliant_2">https://docs.splunk.com/Documentation/CIM/4.14.0/User/UsetheCIMtonormalizeCPUperformancemetrics#Step_5._Make_fields_CIM-compliant_2</A></P> Fri, 06 Dec 2019 17:43:43 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502325#M8874 lkutch_splunk 2019-12-06T17:43:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502326#M8875 <P>Thx for the reply and link to the doc.</P> <P>It's not so much the field needs an alias, but the value "failed" needs to be set as "failure". I thought that's where the SEDCMD would come into play. </P> Fri, 06 Dec 2019 17:59:21 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502326#M8875 jwalzerpitt 2019-12-06T17:59:21Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502327#M8876 <P>Probably the string <CODE>failed</CODE> is in your logs and it is a simple field extraction. If that's the case, then you need to create a <CODE>calculated field</CODE> that does:</P> <PRE><CODE>eval action=if(action=="failed", "failure", action) </CODE></PRE> Fri, 06 Dec 2019 20:20:47 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-an-alias-for-a-CIM-field-in-Splunk-ES/m-p/502327#M8876 woodcock 2019-12-06T20:20:47Z