Applying "FieldAlias" for specific type ... - Splunk Community

Knowledge Management

Hey All,

I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,

1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medium| eventId=4xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com.......

2) ABC:0|Application|ABCD|I2.0|US03|Logging Update|Medium| eventId=5xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

3) ABC:0|Application|ABCD|I2.0|VS05|Logging Revert|Medium| eventId=6xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

So, in the event(1) I want to rename the src_user as dest_user and shost as dhost without the same fields in the other 2 types of events.

In the "Props.conf" I can add below,

FIELDALIAS-src_host = src_host AS dest_host

FIELDALIAS-shost = shost AS dhost

but the issue is that if I use the above in props.conf the changes will get applied across all the event codes, so, my question is if there is a way to achieve this for only the specific code lets say, "TS01".

Any help on this will be much appreciated.

Thanks.

Can you use an EVAL instead of FIELDALIAS? If so, and presuming the 'type' field exists then this may work for you.

EVAL-dest_host = if(type="TS01", src_host, dest_host)
EVAL-dhost = if(type="TS01", shost, dhost)

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...