Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Field Extraction

cyber_castle
Path Finder
‎02-20-2020 03:39 AM

I have indexed few sample logs in to the Splunk..

2020-02-15T10:41:54.305Z servername.com sev="INFO" msg_details="Audit success" pol_name="policy_name"

Splunk by default extract the fields sev, msg_details, pol_name and extract the values appropriately. Everything loos good.

For me, i need to rename the field as severity instead of sev, Description instead of msg_details and Policies instead of pol_name.

I have updated the props.conf

[sourcetype]
FIELDALIAS-severity = sev AS Severity
FIELDALIAS-msg_details = msg_details AS Description
FIELDALIAS-pol_name = pol_name AS Policies

Fields are extracting properly.

When i run the search on Verbose Mode, i can see both sev and Severity, which is quiet annoying for the Analysts

Is it normal or do i have to write a EXTRACT function with appropriate REGEX in order to show only the Severity field NOT sev.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-20-2020 03:46 AM

Hi @cyber_castle,
Yes it's normal:

  • if you create an alias you have both the fields,
  • also using a regex you continue to have all the automatic field extractions so you'll have both the field names.

the only way to avoid to have both the field names is to insert a rename in all your searches.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-20-2020 03:46 AM

Hi @cyber_castle,
Yes it's normal:

  • if you create an alias you have both the fields,
  • also using a regex you continue to have all the automatic field extractions so you'll have both the field names.

the only way to avoid to have both the field names is to insert a rename in all your searches.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

cyber_castle
Path Finder
‎02-20-2020 04:05 AM

Thanks a lot for your prompt response.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...