Splunk Search

Splunk Field Extraction

cyber_castle
Path Finder

I have indexed few sample logs in to the Splunk..

2020-02-15T10:41:54.305Z servername.com sev="INFO" msg_details="Audit success" pol_name="policy_name"

Splunk by default extract the fields sev, msg_details, pol_name and extract the values appropriately. Everything loos good.

For me, i need to rename the field as severity instead of sev, Description instead of msg_details and Policies instead of pol_name.

I have updated the props.conf

[sourcetype]
FIELDALIAS-severity = sev AS Severity
FIELDALIAS-msg_details = msg_details AS Description
FIELDALIAS-pol_name = pol_name AS Policies

Fields are extracting properly.

When i run the search on Verbose Mode, i can see both sev and Severity, which is quiet annoying for the Analysts

Is it normal or do i have to write a EXTRACT function with appropriate REGEX in order to show only the Severity field NOT sev.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @cyber_castle,
Yes it's normal:

  • if you create an alias you have both the fields,
  • also using a regex you continue to have all the automatic field extractions so you'll have both the field names.

the only way to avoid to have both the field names is to insert a rename in all your searches.

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cyber_castle,
Yes it's normal:

  • if you create an alias you have both the fields,
  • also using a regex you continue to have all the automatic field extractions so you'll have both the field names.

the only way to avoid to have both the field names is to insert a rename in all your searches.

Ciao.
Giuseppe

0 Karma

cyber_castle
Path Finder

Thanks a lot for your prompt response.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...