Getting Data In

How to rename a JSON field by editing a configuration file (NOT when running search)?

leonjxtan
Path Finder

There is a log source that publishes events in JSON format, but the field name is in 3-digit numbers, not in English, like below:

{"xyzEvent" : {111 : "2017-03-20 02:58:02.000",222 : "New", 333 : "Alex Bob"}}

I wanted to rename those field names when the events arrive, not when support users search in the application.
For example, I wanted to rename 111 to "TimeStamp"; 222 to "EventType"; 333 to "User", etc.
Could you advise the easiest way to do so?

Ways I have tried:
I was thinking to config the search props.conf to specific those fields, but it seems I can only config based on regex. It does not seem to be an efficient way...

0 Karma
1 Solution

Masa
Splunk Employee
Splunk Employee

As @niketnilay is saying in a comment in question, you can use props.conf's FIELDALIAS attribute.

FIELDALIAS-alias01 = xyzEvent.111 AS TimeStamp
FIELDALIAS-alias02 = xyzEvent.222 AS EventType
FIELDALIAS-alias03 = xyzEvent.333 AS User

One thing is that 111, 222, 333 require double-quotes as strings.
If they do not have double-quotes, Splunk will not be able to take the event as json format, and auto-KV extraction will not extract field 111, 222, 333.

Please double-check the events using a Json validator available in Internet.

View solution in original post

0 Karma

Masa
Splunk Employee
Splunk Employee

As @niketnilay is saying in a comment in question, you can use props.conf's FIELDALIAS attribute.

FIELDALIAS-alias01 = xyzEvent.111 AS TimeStamp
FIELDALIAS-alias02 = xyzEvent.222 AS EventType
FIELDALIAS-alias03 = xyzEvent.333 AS User

One thing is that 111, 222, 333 require double-quotes as strings.
If they do not have double-quotes, Splunk will not be able to take the event as json format, and auto-KV extraction will not extract field 111, 222, 333.

Please double-check the events using a Json validator available in Internet.

View solution in original post

0 Karma

niketnilay
Legend

You can create field alias knowledge object.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!