Hello,
I have a props.conf for a xml file. I just copied the props.conf which was automatically created in the "Add Data" process.
So I am not really familiar with the commands within the props.conf. It looks like this:
[ownsourcetype]
BREAK_ONLY_BEFORE = <Interceptor>
KV_MODE = xml
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d
TIME_PREFIX = <ActionDate>
category = Custom
disabled = false
pulldown_type = true
It's creating fields like this: Interceptor.ActionDate
, Interceptor.LaunchCoords
Events look like this :
< Interceptor >
< fieldname > value< /fieldname >
< /Interceptor >
So which command in the props.conf is responsible for the field extraction? How do I change it so that the fields will look like this: ActionDate
, LaunchCoords
etc?
Thank you
The line KV_MODE = xml
is doing the search time field extractions here. With XML files this is the name of fields that weill get created. Once option you can try is to setup field alias to rename Interceptor.FieldName to FieldName. See more infromation here
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Addaliasestofields
You need to add something like this to your props.conf
FIELDALIAS-extract = Interceptor.* AS *
Hello,
thank you. Its not quite working for me....I added the props.conf. But its not working with " FIELDALIAS-extract = Interceptor.* AS * ", its working with FIELDALIAS-extract = Interceptor.ActionDate AS ActionDate.
But thats creating a new problem, now I have both fields, ActionDate and Interceptor.ActionDate.
Is there a FIELDALIAS- that just renames the fields, instead of extracting?
Thank you