Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

kvmode=json and field aliases

rdownie
Communicator
‎04-17-2019 10:05 AM

When using kvmode=json to carve fields, when I try to create a field alias to make the fields CIM compliant, they don't appear to take. I assume there is a precedence here. Is there a way to accomplish this while still having the fields initially extracted with kvmode?
Any help would be appreciated.
Thanks,
-Bob

Reply

woodcock
Esteemed Legend
‎04-18-2019 06:08 AM

Are you saying, "I have complete control of the format of my logs which are in json format and I am adding field names that are CIM-compliant"? If so, then the only thing that could be wrong is that you're event is not fully-valid json but in that case it would not be some fields that are missing; it would be ALL fields.

0 Karma
Reply

pruthvikrishnap
Contributor
‎04-17-2019 12:01 PM

Hi RD,

I did face a similar issue before, i did force some required fields, which worked in my case.
https://answers.splunk.com/answers/562805/how-to-force-to-set-certain-fields-host-and-source.html

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...