Applying "FieldAlias" for specific type ... - Splunk Community

Knowledge Management

Hey All,

I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,

1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medium| eventId=4xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com.......

2) ABC:0|Application|ABCD|I2.0|US03|Logging Update|Medium| eventId=5xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

3) ABC:0|Application|ABCD|I2.0|VS05|Logging Revert|Medium| eventId=6xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com

So, in the event(1) I want to rename the src_user as dest_user and shost as dhost without the same fields in the other 2 types of events.

In the "Props.conf" I can add below,

FIELDALIAS-src_host = src_host AS dest_host

FIELDALIAS-shost = shost AS dhost

but the issue is that if I use the above in props.conf the changes will get applied across all the event codes, so, my question is if there is a way to achieve this for only the specific code lets say, "TS01".

Any help on this will be much appreciated.

Thanks.

Can you use an EVAL instead of FIELDALIAS? If so, and presuming the 'type' field exists then this may work for you.

EVAL-dest_host = if(type="TS01", src_host, dest_host)
EVAL-dhost = if(type="TS01", shost, dhost)

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...