How to create an alias for a CIM field in Splunk E...

jwalzerpitt · ‎12-06-2019

I am extracting the src and user values from failed login attempts in Shibboleth logs and the value is "failed" so I can set an event type for failed Shib login attempts.

When I check the CIM documentation for fields for Authentication event datasets, I see the value ES expects is "failure".

How do I create an alias for the field action so that "failed" is set to "failure" so ES can then leverage it?

Thx

woodcock · ‎12-06-2019

Probably the string failed is in your logs and it is a simple field extraction. If that's the case, then you need to create a calculated field that does:

eval action=if(action=="failed", "failure", action)

lkutch_splunk · ‎12-06-2019

Would a field alias do the trick? https://docs.splunk.com/Documentation/CIM/4.14.0/User/UsetheCIMtonormalizeCPUperformancemetrics#Step...

jwalzerpitt · ‎12-06-2019

Thx for the reply and link to the doc.

It's not so much the field needs an alias, but the value "failed" needs to be set as "failure". I thought that's where the SEDCMD would come into play.

jwalzerpitt · ‎12-06-2019

Actually digging through Splunk Answers saw a way to use sedcmd and was wondering if this would be a way to handle the issue:

index=foo sourcetype="shibboleth:process" "Login by*" failed
| rex mode=sed field=_raw "s/failed/failure/g" 
| rex field=_raw "-\s\[(?P<src>(?:[0-9]{1,3}\.){3}[0-9]{1,3}).*:\sLogin\sby\s'(?P<user>.*)'\s(?P<action>failure)"

Running this extracts all three fields with correct values. If this looks good, could I then create an event type with this search for failed Shib login attempts?

Thx

How to create an alias for a CIM field in Splunk ES?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!