I'm working on a corporate Splunk instance where we do not have access to rename fields when indexing, or make any similar modifications due to security and compliance requirements.
I'm trying to create a timechart based on the number of events per hour by host
. My issue is that the JSON data has a host field in addition to the Splunk built in host
field.
IE a sample event looks like:{"time":"2019-04-05T21:50:09.925Z","severity":"INFO","duration":25.02,"db":10.23,"view":14.79,"status":200,"method":"GET","path":"/api/v4/project/1","params":[],"host":"my_server_1","ip":"1.2.3.4, 4.5.6.7","ua":null,"route":"/api/:version/projects/:id","user_id":12,"username":"smithers","queue_duration":4.35,"magic_calls":0}
My search looks like: index="my_index" host="prd-srv-00*" source="/var/log/my_program/http_json*" | timechart span=1h count by host
When I do this it combines the hosts the logs came from (built in host field) and hosts listed in the data (host field in the json).
If I try to filter out the hosts from the data, it removes the events from the built in host field as well. IE: index="my_index" host="prd-srv-00*" AND host !="0.0.0.0" source="/var/log/my_program/http_json*" | timechart span=1h count by host
I have also tried to use ...| where host !="0.0.0.0" | ...
but this has the same result.
Any advice on a solution or workaround to handle this at search time? IE, can I rename to column when searching, etc?
Thanks in advance for any help.