Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Applying many field aliases to many sourcetypes

brajaram
Communicator
‎03-23-2018 01:53 PM

I'm trying to find a way to create multiple field aliases across many sourcetypes. Much of our data being fed into splunk is done through JSON format, so field names are entire paths - something.something.moreannoyingthings. While it doesn't directly affect querying, I wanted to set up multiple field aliases to make our users lives easier.

However, we have a variety of sourcetypes that, while containing similar JSON data, are split for good reasons. As a result, any field alias I create would have to be duplicated many times, and I want to create many. In addition, any time we create a new sourcetype, I would need to retread the same work.

Is there a way to apply some sort of regex to sourcetypes to be able to apply a given field alias across many sourcetypes? Even something simple like *-prod.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Azeemering
Builder
‎03-23-2018 02:34 PM

Yes, you can do this by adding regex to a stanza. (NOT SUPPORTED I believe)

I’ve seen an example like this;

Let’s say you have 3 sourcetypes

acme:users
acme:logins
acme:sessions

Stanza [acme:] will NOT work.
But regexed stanza [(?::){0}acme:] WILL work.

I have not tested this myself...

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎03-24-2018 03:05 PM

We had a similar thread at How can we apply TRUNCATE across many sourcetypes?

0 Karma
Reply
Solved! Jump to solution
Solution

Azeemering
Builder
‎03-23-2018 02:34 PM

Yes, you can do this by adding regex to a stanza. (NOT SUPPORTED I believe)

I’ve seen an example like this;

Let’s say you have 3 sourcetypes

acme:users
acme:logins
acme:sessions

Stanza [acme:] will NOT work.
But regexed stanza [(?::){0}acme:] WILL work.

I have not tested this myself...

Reply
Solved! Jump to solution

brajaram
Communicator
‎03-23-2018 02:36 PM

I assume this needs to be defined in props.conf? We use splunk web so I assume I can't do this through the web UI?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...