Replace field at index time

dsofoulis · ‎05-11-2017

Hi,

I would like to replace the "action" field so it conforms with the CIM datamodel.
action at present will alway equal either "Successful" or "error".
I would like to replace "Successful" to "success" and "error" to "failure".

For example
Current fields

action=Successful
action=error

After field replacement

action=success
action=failure

Thank you

adayton20 · ‎05-11-2017

You might explore creating a field alias for those fields under settings > fields > field alias

Splunk references field aliases as a first step under "Make your fields CIM-compliant" in the Common Information Model Add-on Manual. There are step by step instructions for various tasks: http://docs.splunk.com/Documentation/CIM/4.8.0/User/UsetheCIMtonormalizedataatsearchtime

Also, search time field extractions are recommended over index time:

https://answers.splunk.com/answers/5817/search-time-versus-index-time-field-extractions.html
https://answers.splunk.com/answers/2535/search-time-vs-index-time-field-extraction.html

Replace field at index time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation

Replace field at index time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...