Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rename a JSON field by editing a configuration file (NOT when running search)?

leonjxtan
Path Finder
‎03-19-2017 10:06 PM

There is a log source that publishes events in JSON format, but the field name is in 3-digit numbers, not in English, like below:

{"xyzEvent" : {111 : "2017-03-20 02:58:02.000",222 : "New", 333 : "Alex Bob"}}

I wanted to rename those field names when the events arrive, not when support users search in the application.
For example, I wanted to rename 111 to "TimeStamp"; 222 to "EventType"; 333 to "User", etc.
Could you advise the easiest way to do so?

Ways I have tried:
I was thinking to config the search props.conf to specific those fields, but it seems I can only config based on regex. It does not seem to be an efficient way...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎03-20-2017 05:18 PM

As @niketnilay is saying in a comment in question, you can use props.conf's FIELDALIAS attribute. 

FIELDALIAS-alias01 = xyzEvent.111 AS TimeStamp
FIELDALIAS-alias02 = xyzEvent.222 AS EventType
FIELDALIAS-alias03 = xyzEvent.333 AS User

One thing is that 111, 222, 333 require double-quotes as strings.
If they do not have double-quotes, Splunk will not be able to take the event as json format, and auto-KV extraction will not extract field 111, 222, 333.

Please double-check the events using a Json validator available in Internet.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎03-20-2017 05:18 PM

As @niketnilay is saying in a comment in question, you can use props.conf's FIELDALIAS attribute. 

FIELDALIAS-alias01 = xyzEvent.111 AS TimeStamp
FIELDALIAS-alias02 = xyzEvent.222 AS EventType
FIELDALIAS-alias03 = xyzEvent.333 AS User

One thing is that 111, 222, 333 require double-quotes as strings.
If they do not have double-quotes, Splunk will not be able to take the event as json format, and auto-KV extraction will not extract field 111, 222, 333.

Please double-check the events using a Json validator available in Internet.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-20-2017 12:48 AM

You can create field alias knowledge object.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...