Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- metatada from index manipulation with aliases
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wanted to use the metadata command to monitor the last time an IDS sensor fed in our index. Because we are using firesight and therefor estreamer everything feeds in a single host and the source is always "encore". To cheekily resolve that, I tried to alias on the heavy forwarder the sensor field to source (in the estreamer TA), and also on the search head thusly:
FIELDALIAS-estreamer_source = sensor AS source
after restarting the heavy forwarder process, the new data feeding is working as expected and when I |stats count by source now, I see all the sensors, like I wanted, yet when using the metadata command, I only see encore. I am querying for the past hour so I should be seeing the changed data.. but no cookie...
any advice would be much appreciated.
N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on my understanding of the metadata command, it is only able to report based on 'indexed fields'. This would not include anything added at search time (such a field aliases).
What might work (and this should be carefully tested) is changing the source filed at ingest on the HF using props.conf and transforms.conf.
This will take extra compute, but examples for a similar use case can be found here, and some other docs for reference too:
- Renaming sourcetype and source with props and transforms: https://answers.splunk.com/answers/90656/renaming-sourcetype-and-source-with-props-and-transforms.ht...
- Override source types on a per-event basis: https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Advancedsourcetypeoverrides
- Configure advanced extractions with field transforms: https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Configureadvancedextractionswithfieldtr...
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on my understanding of the metadata command, it is only able to report based on 'indexed fields'. This would not include anything added at search time (such a field aliases).
What might work (and this should be carefully tested) is changing the source filed at ingest on the HF using props.conf and transforms.conf.
This will take extra compute, but examples for a similar use case can be found here, and some other docs for reference too:
- Renaming sourcetype and source with props and transforms: https://answers.splunk.com/answers/90656/renaming-sourcetype-and-source-with-props-and-transforms.ht...
- Override source types on a per-event basis: https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Advancedsourcetypeoverrides
- Configure advanced extractions with field transforms: https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Configureadvancedextractionswithfieldtr...
Hope this helps!
.conf25 Registration is OPEN!
Detecting Cross-Channel Fraud with Splunk
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
