Getting Data In

Can I use a multiple field alias to normalize across sourcetypes?

bworrellZP
Communicator

Looking for the most effective way to "normalize" fields across multiple indexes and sourcetypes.

We have 30+ indexes with that many (or more) sourcetypes. Many of these are for internal applications that I pull data from SQL databases. This has caused issues with trying to search on all indexes for Source or Destination IP. Looking for a way to take this list (only a sample of the fields I have found so far), and to be able to group all Source IP's into a src_ip field. Same with Destination. (I will map each, method of mapping in Splunk is what I am looking for).

Anyone have a suggestion for an effective way to do this, rather than making a very complex search?

field
AdminIPAddress
ClientIP
Client_IP
Client_ip
ComputerIPAddress
Description
DestinationIPAddress
Framed_IP_Address
IP
IpAddress
Local_IP
NAS_IP_Address
NatIP
Nat_ip
Remote_ip
VserverServiceIP
Vserver_ip
X_MS_Forwarded_Client_IP
assigned_ip
c_ip
client_ip
dest_ip
dest_ipv6
dest_translated_ip
dst_ip
ip
nsica_session_client_ip
nsica_session_server_ip
s_ip
server_ip
src_ip
src_ipv6
src_public_ip
src_translated_ip

Thank you,
Brian

0 Karma

3no
Communicator
0 Karma

bworrellZP
Communicator

3no,

I thought about that, but as I understand the process, I would have to make an alias per sourcetype, for each alias. I was hoping there was a way to do a field alias or another alias, across all sourcetypes.

Thanks

0 Karma

3no
Communicator

No, as far as I know there's not such mechanism. You'll have to do it by sourcetypes.

It's because sourcetypes generally have different field number, field name, etc...If you can rename the fields for all your sourcetype, it will mean that all your sourcetypes have already the same name.

Like for exemple all your sourcetypes are refering to src_ip as source_ip. But why would you need normalization then, if you don't need to be CIM compliant ? | top 10 source_ip work as well 🙂

Hope that helps,

3no

0 Karma

bworrellZP
Communicator

Hrm, thinking differently, could I use a lookup for that? And yes the goal is to move to a CIM compliance at some point, and use ES as well, though I believe that is a bit off still (team understaffed at the moment).

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...