Splunk Search

Ignore Dynamic KV Creation

markwymer
Path Finder

Hi,

I'm trying to get to grips with CIM and am getting there slowly, however, I hit a snag that I can't seem to get around and it makes one of my field extraction result 'ugly'!!

I've got a load of events from different sources in my eventtype="Authenticate" type. In nearly every case, I've had to create a dynamic field extraction called action ( as per the CIM model name ) for the Success/Fail status. So far so good.

I've started ingesting another Authentication type log which, unfortunately contains the KV field - action=some_unique_string

Is there any way that I can get Splunk to either ignore this KV or change the key to something other than action so that I can use my own action field extraction?

Thanks, Mark.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I see the issue more clearly now.

For the new "Authentication" source, rename the field upon ingestion.

in props.conf

[sourcetype]
sedcmd-renamer = s/action=/authaction=/g
0 Karma

woodcock
Esteemed Legend

This probably will not work unless you use SEDCMD instead of sedcmd.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

KV_MODE is too useful to turn off for this case.
Because lookups are executed after field aliases, you can alias your existing action field to some other name (like vendor_action) and then overwrite it with your lookup. This way you get both.

0 Karma

woodcock
Esteemed Legend

You need to put this in props.conf to turn off the automatic field extraction but it will do so for all fields in the entire sourcetype:

KV_MODE = none
0 Karma

jkat54
SplunkTrust
SplunkTrust

You could use a more narrow field extraction for your "own" action field.

(?<action>(?<=action=)(Success|Fail))

This would only extract a field called action if it matched "action=" followed by "Success" or "Fail". It will not extract the action field otherwise.

You can use this in search with rex command or otherwise by using the "report" options in props.conf & transforms.conf

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...