Applying "FieldAlias" for specific type ... - Splunk Community

Knowledge Management

Hey All,

I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,

1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medium| eventId=4xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com.......

2) ABC:0|Application|ABCD|I2.0|US03|Logging Update|Medium| eventId=5xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

3) ABC:0|Application|ABCD|I2.0|VS05|Logging Revert|Medium| eventId=6xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

So, in the event(1) I want to rename the src_user as dest_user and shost as dhost without the same fields in the other 2 types of events.

In the "Props.conf" I can add below,

FIELDALIAS-src_host = src_host AS dest_host

FIELDALIAS-shost = shost AS dhost

but the issue is that if I use the above in props.conf the changes will get applied across all the event codes, so, my question is if there is a way to achieve this for only the specific code lets say, "TS01".

Any help on this will be much appreciated.

Thanks.

Can you use an EVAL instead of FIELDALIAS? If so, and presuming the 'type' field exists then this may work for you.

EVAL-dest_host = if(type="TS01", src_host, dest_host)
EVAL-dhost = if(type="TS01", shost, dhost)

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

Register Now This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...