Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Applying many field aliases to many sourcetypes

brajaram
Communicator
‎03-23-2018 01:53 PM

I'm trying to find a way to create multiple field aliases across many sourcetypes. Much of our data being fed into splunk is done through JSON format, so field names are entire paths - something.something.moreannoyingthings. While it doesn't directly affect querying, I wanted to set up multiple field aliases to make our users lives easier.

However, we have a variety of sourcetypes that, while containing similar JSON data, are split for good reasons. As a result, any field alias I create would have to be duplicated many times, and I want to create many. In addition, any time we create a new sourcetype, I would need to retread the same work.

Is there a way to apply some sort of regex to sourcetypes to be able to apply a given field alias across many sourcetypes? Even something simple like *-prod.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Azeemering
Builder
‎03-23-2018 02:34 PM

Yes, you can do this by adding regex to a stanza. (NOT SUPPORTED I believe)

I’ve seen an example like this;

Let’s say you have 3 sourcetypes

acme:users
acme:logins
acme:sessions

Stanza [acme:] will NOT work.
But regexed stanza [(?::){0}acme:] WILL work.

I have not tested this myself...

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎03-24-2018 03:05 PM

We had a similar thread at How can we apply TRUNCATE across many sourcetypes?

0 Karma
Reply
Solved! Jump to solution
Solution

Azeemering
Builder
‎03-23-2018 02:34 PM

Yes, you can do this by adding regex to a stanza. (NOT SUPPORTED I believe)

I’ve seen an example like this;

Let’s say you have 3 sourcetypes

acme:users
acme:logins
acme:sessions

Stanza [acme:] will NOT work.
But regexed stanza [(?::){0}acme:] WILL work.

I have not tested this myself...

Reply
Solved! Jump to solution

brajaram
Communicator
‎03-23-2018 02:36 PM

I assume this needs to be defined in props.conf? We use splunk web so I assume I can't do this through the web UI?

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...