Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Field Extraction

cyber_castle
Path Finder
‎02-20-2020 03:39 AM

I have indexed few sample logs in to the Splunk..

2020-02-15T10:41:54.305Z servername.com sev="INFO" msg_details="Audit success" pol_name="policy_name"

Splunk by default extract the fields sev, msg_details, pol_name and extract the values appropriately. Everything loos good.

For me, i need to rename the field as severity instead of sev, Description instead of msg_details and Policies instead of pol_name.

I have updated the props.conf

[sourcetype]
FIELDALIAS-severity = sev AS Severity
FIELDALIAS-msg_details = msg_details AS Description
FIELDALIAS-pol_name = pol_name AS Policies

Fields are extracting properly.

When i run the search on Verbose Mode, i can see both sev and Severity, which is quiet annoying for the Analysts

Is it normal or do i have to write a EXTRACT function with appropriate REGEX in order to show only the Severity field NOT sev.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-20-2020 03:46 AM

Hi @cyber_castle,
Yes it's normal:

  • if you create an alias you have both the fields,
  • also using a regex you continue to have all the automatic field extractions so you'll have both the field names.

the only way to avoid to have both the field names is to insert a rename in all your searches.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-20-2020 03:46 AM

Hi @cyber_castle,
Yes it's normal:

  • if you create an alias you have both the fields,
  • also using a regex you continue to have all the automatic field extractions so you'll have both the field names.

the only way to avoid to have both the field names is to insert a rename in all your searches.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

cyber_castle
Path Finder
‎02-20-2020 04:05 AM

Thanks a lot for your prompt response.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...