Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rename a JSON field by editing a configuration file (NOT when running search)?

leonjxtan
Path Finder
‎03-19-2017 10:06 PM

There is a log source that publishes events in JSON format, but the field name is in 3-digit numbers, not in English, like below:

{"xyzEvent" : {111 : "2017-03-20 02:58:02.000",222 : "New", 333 : "Alex Bob"}}

I wanted to rename those field names when the events arrive, not when support users search in the application.
For example, I wanted to rename 111 to "TimeStamp"; 222 to "EventType"; 333 to "User", etc.
Could you advise the easiest way to do so?

Ways I have tried:
I was thinking to config the search props.conf to specific those fields, but it seems I can only config based on regex. It does not seem to be an efficient way...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎03-20-2017 05:18 PM

As @niketnilay is saying in a comment in question, you can use props.conf's FIELDALIAS attribute. 

FIELDALIAS-alias01 = xyzEvent.111 AS TimeStamp
FIELDALIAS-alias02 = xyzEvent.222 AS EventType
FIELDALIAS-alias03 = xyzEvent.333 AS User

One thing is that 111, 222, 333 require double-quotes as strings.
If they do not have double-quotes, Splunk will not be able to take the event as json format, and auto-KV extraction will not extract field 111, 222, 333.

Please double-check the events using a Json validator available in Internet.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎03-20-2017 05:18 PM

As @niketnilay is saying in a comment in question, you can use props.conf's FIELDALIAS attribute. 

FIELDALIAS-alias01 = xyzEvent.111 AS TimeStamp
FIELDALIAS-alias02 = xyzEvent.222 AS EventType
FIELDALIAS-alias03 = xyzEvent.333 AS User

One thing is that 111, 222, 333 require double-quotes as strings.
If they do not have double-quotes, Splunk will not be able to take the event as json format, and auto-KV extraction will not extract field 111, 222, 333.

Please double-check the events using a Json validator available in Internet.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-20-2017 12:48 AM

You can create field alias knowledge object.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...