Getting Data In

Is it possible for a field alias for all sourcetypes to exclude a specific one?

aasabatini
Motivator

Hi folks,

I have a field alias for my all sourcetypes 

 

 

 

[default]
FIELDALIAS-cliente = index AS client

 

 

 

 

but I want to exclude some sourcetypes for example I dont' want this field alias for stash or internal log.

is it possible?

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aasabatini ,

Ciao Ale,

Could you better describe you requirement?

anyway, I think that you could try with a calculated field (in which you can insert a condition) instead a field alias.

Ciao.

Giuseppe

 

0 Karma

aasabatini
Motivator

Hi @gcusello 

I hope you are well.

I need  the field client based on the  index field value  for all my data except for stash sourcetype, currently the field alias works fine with the global configuration but I didn't find to exclude the souretype stash.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

gcusello
SplunkTrust
SplunkTrust

Ciao Ale,

did you tried with a calculated field?

Ciao.

Giuseppe

0 Karma

aasabatini
Motivator

Hi @gcusello 

 

calculated or field-alias is the same under default stanza on props, I need a strategy to exclude the stash sourcetype.

 

Regards

Ale

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

gcusello
SplunkTrust
SplunkTrust

Ciao Ale,

using a calculated field, you can insert a condition like the ones you described, that you cannot insert in an alias.

Ciao.

Giuseppe

aasabatini
Motivator

Hi @gcusello 

unfortunately doesn't works, for example if I created a condition to exclude the sourcetype stash like this:

[default]
EVAL-cliente = if(sourcetype="stash","",index)

 

when you call for example the index with stash sourcetype, you will have the cliente field empty, but I need no field for that sourcetype.

I suppose the best strategy is define  any field -alias for all sourcetypes and don't set any rule for stash

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

gcusello
SplunkTrust
SplunkTrust

Ciao Ale

only you can define if this workaround can be a solution for yoit requirement, but I think that could have sense.

Ciao.

Giuseppe

0 Karma

glc_slash_it
Path Finder

Hey!
The props.conf documentation says the following for default:

# Use the [default] stanza to define any global settings.
#   * You can also define global settings outside of any stanza, at the top
#     of the file.
#   * Each conf file should have at most one default stanza. If there are
#     multiple default stanzas, settings are combined. In the case of
#     multiple definitions of the same setting, the last definition in the
#     file wins.
#   * If a setting is defined at both the global level and in a specific
#     stanza, the value in the specific stanza takes precedence.

 

I would try out the following

Keep your config for default stanza

[default]
FIELDALIAS-cliente = index AS client

 

Define the fieldalias as null/none, for all other sourcetypes you want to exclude

[_internal]
FIELDALIAS-cliente = 

[other_sourcetype]
FIELDALIAS-cliente = 


------------
If this was helpful, some karma would be appreciated.

0 Karma

aasabatini
Motivator

Hi @glc_slash_it 

 

unfortunately this solution doesn't works.

need to find another solution

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...