All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for AWS: Why are auto-extracted fields not in the right format and how to fix this?

vaibhavagg2006
Communicator
‎11-19-2014 04:47 AM

I have some sample data from cloudtrail. But the auto-extracted fields are in the format "Records{}.* The app is not expecting "Records" keyword before the fieldname. What is the best way to rename all the fields in bulk without having need to change the queries.
Tried Field Alias from settings - "%22Records{}.%22*" AS "*" but its not working. I think this is due to extra quotes which splunk puts.

Please suggest a quicker way.

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎11-19-2014 07:42 AM

What view on the app are you specifically referring to? And, did you use the the Add-on here to grab this sample data: https://apps.splunk.com/app/1876/?

0 Karma
Reply

vaibhavagg2006
Communicator
‎11-19-2014 08:46 AM

Hi,
I have sample log files, I have not used the add-on to grab the data but I have installed the add-on and used the configurations of props.conf provided in this app for aws:cloudtrail . My issue is the fields I am getting as the auto extracted field in the fieldbar starts with "Records{}."
But When I see the pre built field aliases included in the add-on, the field names do not have "Records{}. suffixed. Also the field names used in the queries donot have "Records{}." I think i am missing any configuration which can be set to ignore the Records{} key in the log file.

0 Karma
Reply

ajaycitrus
New Member
‎02-13-2020 01:43 AM

You can install the Add-on. Then, ingest the static file using Data input option and assign the correct Sourcetype (which will appear once you install the Add-on) to parse the data.

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎11-19-2014 08:57 AM

You're not missing any configuration. You're just not using the Add-on which takes care of decomposing each record on its own event. Add-on's props and the App can understand all extraction based on that. I recommend you use the Add-on instead.

0 Karma
Reply

vaibhavagg2006
Communicator
‎11-19-2014 09:00 AM

oh..but i believe for using add-on i will need live aws instance. Actually I had to work on static logs for some proof of concept. Can I index static files using add-on?
Thank you for your inputs.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...