Hi,
I'm trying to get to grips with CIM and am getting there slowly, however, I hit a snag that I can't seem to get around and it makes one of my field extraction result 'ugly'!!
I've got a load of events from different sources in my eventtype="Authenticate"
type. In nearly every case, I've had to create a dynamic field extraction called action
( as per the CIM model name ) for the Success/Fail
status. So far so good.
I've started ingesting another Authentication
type log which, unfortunately contains the KV field - action=some_unique_string
Is there any way that I can get Splunk to either ignore this KV or change the key to something other than action
so that I can use my own action
field extraction?
Thanks, Mark.
I see the issue more clearly now.
For the new "Authentication" source, rename the field upon ingestion.
in props.conf
[sourcetype]
sedcmd-renamer = s/action=/authaction=/g
This probably will not work unless you use SEDCMD
instead of sedcmd
.
KV_MODE is too useful to turn off for this case.
Because lookups are executed after field aliases, you can alias your existing action field to some other name (like vendor_action) and then overwrite it with your lookup. This way you get both.
You need to put this in props.conf
to turn off the automatic field extraction but it will do so for all fields in the entire sourcetype:
KV_MODE = none
You could use a more narrow field extraction for your "own" action field.
(?<action>(?<=action=)(Success|Fail))
This would only extract a field called action if it matched "action=" followed by "Success" or "Fail". It will not extract the action field otherwise.
You can use this in search with rex command or otherwise by using the "report" options in props.conf & transforms.conf