Splunk Search

Ignore Dynamic KV Creation

markwymer
Path Finder

Hi,

I'm trying to get to grips with CIM and am getting there slowly, however, I hit a snag that I can't seem to get around and it makes one of my field extraction result 'ugly'!!

I've got a load of events from different sources in my eventtype="Authenticate" type. In nearly every case, I've had to create a dynamic field extraction called action ( as per the CIM model name ) for the Success/Fail status. So far so good.

I've started ingesting another Authentication type log which, unfortunately contains the KV field - action=some_unique_string

Is there any way that I can get Splunk to either ignore this KV or change the key to something other than action so that I can use my own action field extraction?

Thanks, Mark.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I see the issue more clearly now.

For the new "Authentication" source, rename the field upon ingestion.

in props.conf

[sourcetype]
sedcmd-renamer = s/action=/authaction=/g
0 Karma

woodcock
Esteemed Legend

This probably will not work unless you use SEDCMD instead of sedcmd.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

KV_MODE is too useful to turn off for this case.
Because lookups are executed after field aliases, you can alias your existing action field to some other name (like vendor_action) and then overwrite it with your lookup. This way you get both.

0 Karma

woodcock
Esteemed Legend

You need to put this in props.conf to turn off the automatic field extraction but it will do so for all fields in the entire sourcetype:

KV_MODE = none
0 Karma

jkat54
SplunkTrust
SplunkTrust

You could use a more narrow field extraction for your "own" action field.

(?<action>(?<=action=)(Success|Fail))

This would only extract a field called action if it matched "action=" followed by "Success" or "Fail". It will not extract the action field otherwise.

You can use this in search with rex command or otherwise by using the "report" options in props.conf & transforms.conf

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...