- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Is it possible to create a field alias by even...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to create a field alias by event type?
I need to create a field aliase by event type. I saw that it is possible to reference an eventtype from the props.conf:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Propsconf
I am running Splunk 6.3.1
I've tried the following without success:
props.conf
[eventtype::opsec_vpn_bachata]
FIELDALIAS-user_for_opsec_vpn_bachata = user_dn as user
FIELDALIAS-user_for_opsec_vpn_bachata_cust = user_dn as user_cust
LOOKUP-action_for_opsec_bachata = te_action_lookup te_action OUTPUT action
eventtypes.conf
[opsec_vpn_bachata]
search = index="opsec-lea-cust" orig=bachata event_type=Login
#tags = vpn authentication*
Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I worked on the very similar problem right now but I had a to match on a mv field.
So i used something like this:
EVAL-action = if(mvfind(eventtype,"usp_nac-state_change")=1, "modified", null())
Maybe it helps someone in the future 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to do something like this in props.conf instead:
[YourSourcetypeHere]
EVAL-user = if((eventtype=opsec_vpn_bachata)), user_dn, null())
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This shouldn't work, because the calculated fields are made well before the typer even runs.
Typer and thus eventtypes, don't exist until after all the other props.conf stuff is done -- extractions, Aliases, calculated fields and lookups.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would open a support case. That "feature" is documented only in v6.3.0 and v6.3.1 of props.conf but disappears from v6.3.2 documentation versions and later. I can find no mention of the feature being added or deleted in any of the v6.* release notes. Did this ever work? What is the story? Only splunk can say.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer.
I am opening the case.
In the meantime, do you know a way to achieve what I am trying to do?
Thank's again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See my answer. It works.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
