What is the best approach to defining a field (the user API key field) that in our logs appears in 2 different ways because we take different requests from both an old and a new REST interface?
The apiKey field exists in each REST API differently:
Request API Version 1:
/2.0/APIKEY-GOES-HERE/query.json?param1=value1¶m2=value2
Request API Version 2:
/query.json?apikey=APIKEY-GOES-HERE¶m1=value1¶m2=value2
You can simply either define two extractions, or a single extraction with an alternating regex. An extraction that fails will simply have no effect (other than the consume the resources of checking for the match).
e.g.:
EXTRACT-v1 = /2.0/(?<apikey>[^\/]*)/ from uri
EXTRACT-v2 = /query.json?apikey=(?<apikey>[^\=\&]*) from uri
The second extract could also be performed automatically by an appropriate KV extraction using DELIMS or KV_MODE.
Field aliases to normalize different field names
Source: http://docs.splunk.com/Documentation/Splunk/4.3.1/User/TagAndAliasFieldValues
Quote from docs:
"
Alias field names
You can add multiple aliases to a field name or use these field aliases to normalize different field names. This does not rename or remove the original field name. After you alias a field, you can search for it using any of its name aliases. To alias a field name, you need to have access to props.conf. For information on how to do this, see Create aliases for fields in the Knowledge Manager manual.
"
For the novice: gkanapathy answer of using alternating regex refers to using "OR" with a '|' within the regex. See my below solution:
EXTRACT-v3 = (/2`\`.0/|apikey=)(?<apikey>[^\/]*)/
You can simply either define two extractions, or a single extraction with an alternating regex. An extraction that fails will simply have no effect (other than the consume the resources of checking for the match).
e.g.:
EXTRACT-v1 = /2.0/(?<apikey>[^\/]*)/ from uri
EXTRACT-v2 = /query.json?apikey=(?<apikey>[^\=\&]*) from uri
The second extract could also be performed automatically by an appropriate KV extraction using DELIMS or KV_MODE.