Applying "FieldAlias" for specific type ... - Splunk Community

Knowledge Management

Hey All,

I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,

1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medium| eventId=4xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com.......

2) ABC:0|Application|ABCD|I2.0|US03|Logging Update|Medium| eventId=5xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

3) ABC:0|Application|ABCD|I2.0|VS05|Logging Revert|Medium| eventId=6xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

So, in the event(1) I want to rename the src_user as dest_user and shost as dhost without the same fields in the other 2 types of events.

In the "Props.conf" I can add below,

FIELDALIAS-src_host = src_host AS dest_host

FIELDALIAS-shost = shost AS dhost

but the issue is that if I use the above in props.conf the changes will get applied across all the event codes, so, my question is if there is a way to achieve this for only the specific code lets say, "TS01".

Any help on this will be much appreciated.

Thanks.

Can you use an EVAL instead of FIELDALIAS? If so, and presuming the 'type' field exists then this may work for you.

EVAL-dest_host = if(type="TS01", src_host, dest_host)
EVAL-dhost = if(type="TS01", shost, dhost)

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...