Applying "FieldAlias" for specific type ... - Splunk Community

Knowledge Management

Hey All,

I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,

1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medium| eventId=4xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com.......

2) ABC:0|Application|ABCD|I2.0|US03|Logging Update|Medium| eventId=5xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

3) ABC:0|Application|ABCD|I2.0|VS05|Logging Revert|Medium| eventId=6xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

So, in the event(1) I want to rename the src_user as dest_user and shost as dhost without the same fields in the other 2 types of events.

In the "Props.conf" I can add below,

FIELDALIAS-src_host = src_host AS dest_host

FIELDALIAS-shost = shost AS dhost

but the issue is that if I use the above in props.conf the changes will get applied across all the event codes, so, my question is if there is a way to achieve this for only the specific code lets say, "TS01".

Any help on this will be much appreciated.

Thanks.

Can you use an EVAL instead of FIELDALIAS? If so, and presuming the 'type' field exists then this may work for you.

EVAL-dest_host = if(type="TS01", src_host, dest_host)
EVAL-dhost = if(type="TS01", shost, dhost)

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...