How to change a field name?

stegray93 · ‎07-11-2016

Hello,

I'm trying to get a clearer picture of data from our Okta application however two pieces of information have the exact same field. Is there a way to change this?

So the example here is we are searching for all users and we want just a list of their names. The search query below is what we use to find it, however it drags a brower name too.

source=okta:event actors{}.displayName=*

exampleUser

exampleBrowser

When that query is returned, it provides us with the name of the user which is what we want but also displays the browser they used.

Just to be clear, the browser information isn't tied to the one field and just appears at the end. There are just two identical fields called actors{}.displayName, one displays a browser the other a name.

rafamss · ‎07-11-2016

Hi stegray93,

I believe that you could use expression regular for extract this information. Do you can send the some samples of data for help you ?

stegray93 · ‎07-11-2016

Hi below is the sample event. Parts in bold are the parts I am referring too.

{ [-]
action: { [+]
}
actors: [ [-]
{ [-]
displayName: Example
id: 00u10rdjtruAa5Qbf0x7
login: example@flexerasoftware.com
objectType: User
}
{ [-]
displayName: CHROME
id: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
ipAddress: 50.233.14.1
objectType: Client
}
]
eventId: tevs4oEpigaRlS8BgQGODiMig1468252444000
published: 2016-07-11T15:54:04.000Z
requestId: V4PBG-P59xfVa7HBAKck6wAABUU
sessionId: 1018VGvLCuXQ6CcHoC9rltHmg
targets: [ [+]
]

rafamss · ‎07-18-2016

Both fields is inside of a same node of json, or not? The content of first field displayName have a fixed size? Because if the first field have the fixed size (7 bytes), could you use this regex: (displayName:\s[A-Z]{6})

somesoni2 · ‎07-11-2016

Try this

source=okta:event actors{}.displayName=* | eval "actors{}.displayName"=mvindex('actors{}.displayName',0)

Updated Answer based on sample event.

Give this a try

 source=okta:event actors{}.displayName=* actors{}.objectType=User

stegray93 · ‎07-11-2016

That didn't work 😞 still showing the browser information. We originally tried a NOT command with an AND that didn't seem to like it either.

somesoni2 · ‎07-11-2016

Any pattern in the event which shows the Browser names OR any pattern in the value using which those events could be filtered out? Probably one sample event of user and browser would help understand the problem better.

stegray93 · ‎07-11-2016

Please see below a standard sample event. Let me know if you need more.

{ [-]
action: { [+]
}

actors: [ [-]
{ [-]
displayName: Example
id: 00u10rdjtruAa5Qbf0x7

login: example@flexerasoftware.com

objectType: User

}
{ [-]
displayName: CHROME

id: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

ipAddress: 50.233.14.1

objectType: Client

}

]

eventId: tevs4oEpigaRlS8BgQGODiMig1468252444000

published: 2016-07-11T15:54:04.000Z

requestId: V4PBG-P59xfVa7HBAKck6wAABUU

sessionId: 1018VGvLCuXQ6CcHoC9rltHmg

targets: [ [+]
]

somesoni2 · ‎07-11-2016

Try the updated answers.

stegray93 · ‎07-11-2016

Still didn't work. When I stat them up Chrome, IE11 and FireFox are still the top 3. It's strange as it generates it as if they were their own user, then when applying the NOT to the search string for CHROME then it removes anyone who's logged in using CHROME.

somesoni2 · ‎07-11-2016

Would you be able to provide some screenshot on how the events look like upon runnign the updated query?

stegray93 · ‎07-12-2016

Might sound like a silly question but how do I upload an image into here?

somesoni2 · ‎07-12-2016

You can upload the image to a site like https://postimage.org/ and post the URL here.

How to change a field name?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life