- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
I am wondering if there is a way that fields can be linked (sort of like aliases in PowerShell if that helps for context).
For example, the default host field and a field named "computer_fqdn" give the same value. However, if you search for "host=examplename" but the event that you're looking for uses the "computer_fqdn" field, the event won't show.
I'm happy to answer any questions regarding this issue.
Thanks in advance,
Jamie
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might be able to set up props.conf for your sourcetype using FIELDALIAS to achieve this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
As @ITWhisperer said there is concept ALIAS which give you this kind of functionality. Another more extended concept is CIM (Common Information Model) which helps users/developers onboarding systems to Splunk to use common names etc. With this concept you could create Dashboards, Alerts, Reports with those common names, data models, tag etc. without knowing exact field names e.g. in Cisco SW/FW vs. Palo Alto vs. Juniper vs. Forte etc.
You could found CIM app https://splunkbase.splunk.com/app/1621 and documentation from https://docs.splunk.com/Documentation/CIM/latest/User/Overview
This has used in quite many Apps and TAs on splunkbase.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @isoutamo,
Thanks for the additional info, I've got the CIM app set up and managed to achieve my goal just in the Splunk settings.
Once again, thanks for the info,
Jamie
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
host is usually used by Splunk for host the event came from - is this the host field you are talking about or is there also a host field in your event data as well as computer_fqdn?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
Yeah the host field I am talking about is the host of which the event was raised.
For example if I was to search host="computer1", it would show all the events that took place on that computer. The issue is that one of the add-ons I use, doesn't use the host field it instead uses a field called "computer_fqdn", but they both hold the same value.
My goal is to essentially have host="computer1" and computer_fqdn="computer1" give the same results when searched.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you search
host="computer1" OR computer_fqdn="computer1"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That search would yield the desired result. But I was wondering if there was a way to connect the fields in a way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might be able to set up props.conf for your sourcetype using FIELDALIAS to achieve this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey There,
I didn't end up editing stanzas, but I found a way to do it just through the Splunk Cloud settings. Your suggestion definitely lead me down the right path though 🙂
Jamie
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
I'm going to give this a go now, and I'll let you know if it works.
Jamie
