Getting Data In

Is it possible to create a field alias by event type?


I need to create a field aliase by event type. I saw that it is possible to reference an eventtype from the props.conf:
I am running Splunk 6.3.1

I've tried the following without success:


FIELDALIAS-user_for_opsec_vpn_bachata           = user_dn as user
FIELDALIAS-user_for_opsec_vpn_bachata_cust           = user_dn as user_cust
LOOKUP-action_for_opsec_bachata       = te_action_lookup te_action OUTPUT action


search = index="opsec-lea-cust" orig=bachata event_type=Login
#tags = vpn authentication*

Thank you very much.

Path Finder


I worked on the very similar problem right now but I had a to match on a mv field.

So i used something like this:

EVAL-action = if(mvfind(eventtype,"usp_nac-state_change")=1, "modified", null())

Maybe it helps someone in the future 🙂

0 Karma

Esteemed Legend

You should be able to do something like this in props.conf instead:

EVAL-user = if((eventtype=opsec_vpn_bachata)), user_dn, null())


This shouldn't work, because the calculated fields are made well before the typer even runs.

Typer and thus eventtypes, don't exist until after all the other props.conf stuff is done -- extractions, Aliases, calculated fields and lookups.

0 Karma

Esteemed Legend

I would open a support case. That "feature" is documented only in v6.3.0 and v6.3.1 of props.conf but disappears from v6.3.2 documentation versions and later. I can find no mention of the feature being added or deleted in any of the v6.* release notes. Did this ever work? What is the story? Only splunk can say.


Thanks for your answer.

I am opening the case.
In the meantime, do you know a way to achieve what I am trying to do?

Thank's again.

0 Karma

Esteemed Legend

See my answer. It works.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...

Observability Cloud | AWS PrivateLink Enabled for Splunk Observability Cloud

We’ve enabled AWS PrivateLink for Observability Cloud, giving you an additional inbound connection to send ...

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...