Solved: Applying many field aliases to many sourcetypes

brajaram · ‎03-23-2018

I'm trying to find a way to create multiple field aliases across many sourcetypes. Much of our data being fed into splunk is done through JSON format, so field names are entire paths - something.something.moreannoyingthings. While it doesn't directly affect querying, I wanted to set up multiple field aliases to make our users lives easier.

However, we have a variety of sourcetypes that, while containing similar JSON data, are split for good reasons. As a result, any field alias I create would have to be duplicated many times, and I want to create many. In addition, any time we create a new sourcetype, I would need to retread the same work.

Is there a way to apply some sort of regex to sourcetypes to be able to apply a given field alias across many sourcetypes? Even something simple like *-prod.

Azeemering · ‎03-23-2018

Yes, you can do this by adding regex to a stanza. (NOT SUPPORTED I believe)

I’ve seen an example like this;

Let’s say you have 3 sourcetypes

acme:users
acme:logins
acme:sessions

Stanza [acme:] will NOT work.
But regexed stanza [(?::){0}acme:] WILL work.

I have not tested this myself...

View solution in original post

ddrillic · ‎03-24-2018

We had a similar thread at How can we apply TRUNCATE across many sourcetypes?

Azeemering · ‎03-23-2018

Yes, you can do this by adding regex to a stanza. (NOT SUPPORTED I believe)

I’ve seen an example like this;

Let’s say you have 3 sourcetypes

acme:users
acme:logins
acme:sessions

Stanza [acme:] will NOT work.
But regexed stanza [(?::){0}acme:] WILL work.

I have not tested this myself...

brajaram · ‎03-23-2018

I assume this needs to be defined in props.conf? We use splunk web so I assume I can't do this through the web UI?

Applying many field aliases to many sourcetypes

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms