Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Applying many field aliases to many sourcetypes

brajaram
Communicator
‎03-23-2018 01:53 PM

I'm trying to find a way to create multiple field aliases across many sourcetypes. Much of our data being fed into splunk is done through JSON format, so field names are entire paths - something.something.moreannoyingthings. While it doesn't directly affect querying, I wanted to set up multiple field aliases to make our users lives easier.

However, we have a variety of sourcetypes that, while containing similar JSON data, are split for good reasons. As a result, any field alias I create would have to be duplicated many times, and I want to create many. In addition, any time we create a new sourcetype, I would need to retread the same work.

Is there a way to apply some sort of regex to sourcetypes to be able to apply a given field alias across many sourcetypes? Even something simple like *-prod.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Azeemering
Builder
‎03-23-2018 02:34 PM

Yes, you can do this by adding regex to a stanza. (NOT SUPPORTED I believe)

I’ve seen an example like this;

Let’s say you have 3 sourcetypes

acme:users
acme:logins
acme:sessions

Stanza [acme:] will NOT work.
But regexed stanza [(?::){0}acme:] WILL work.

I have not tested this myself...

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎03-24-2018 03:05 PM

We had a similar thread at How can we apply TRUNCATE across many sourcetypes?

0 Karma
Reply
Solved! Jump to solution
Solution

Azeemering
Builder
‎03-23-2018 02:34 PM

Yes, you can do this by adding regex to a stanza. (NOT SUPPORTED I believe)

I’ve seen an example like this;

Let’s say you have 3 sourcetypes

acme:users
acme:logins
acme:sessions

Stanza [acme:] will NOT work.
But regexed stanza [(?::){0}acme:] WILL work.

I have not tested this myself...

Reply
Solved! Jump to solution

brajaram
Communicator
‎03-23-2018 02:36 PM

I assume this needs to be defined in props.conf? We use splunk web so I assume I can't do this through the web UI?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...