Solved: How to map certain extracted interesting fields to...

jflaherty · ‎11-07-2016

Hello,

I have a couple of sources that Splunk is nicely automatically pulling the fields I need into the "Interesting Fields". One is active directory and other is a json. The problem is that I need to use these fields in a data model, but they are not named the same. Is there a way to map these fields to a name so I don't have to manually create an extraction for each? If not, is there anywhere I can see what regexes Splunk is using to extract the fields so I can make sure I get them right?

Thanks!

niketn · ‎11-07-2016

You can use Field Aliases knowledge Objects provided in Splunk. Refer to the following documentation:

http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Addaliasestofields

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎11-07-2016

You can use Field Aliases knowledge Objects provided in Splunk. Refer to the following documentation:

http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Addaliasestofields

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to map certain extracted interesting fields to a name to use these fields in a data model?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?