Re: Replace field at index time

dsofoulis · ‎05-11-2017

Hi,

I would like to replace the "action" field so it conforms with the CIM datamodel.
action at present will alway equal either "Successful" or "error".
I would like to replace "Successful" to "success" and "error" to "failure".

For example
Current fields

action=Successful
action=error

After field replacement

action=success
action=failure

Thank you

adayton20 · ‎05-11-2017

You might explore creating a field alias for those fields under settings > fields > field alias

Splunk references field aliases as a first step under "Make your fields CIM-compliant" in the Common Information Model Add-on Manual. There are step by step instructions for various tasks: http://docs.splunk.com/Documentation/CIM/4.8.0/User/UsetheCIMtonormalizedataatsearchtime

Also, search time field extractions are recommended over index time:

https://answers.splunk.com/answers/5817/search-time-versus-index-time-field-extractions.html
https://answers.splunk.com/answers/2535/search-time-vs-index-time-field-extraction.html

Replace field at index time

Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Submit Now! >