We currently have an alert set up that generates a ticket in our ticketing platform. We are currently moving to a new ticketing platform and have utilized collect to collect the event and put it in a new index for that ticketing platform to pull data from.
Is there a way to rename fields of the event that is collected, but not change the field names for the current alert? We have to have different field names for the new ticketing system to map correctly. My only idea right now is either duplicate the alert and have them run in parallel, or when the ticketing system queries splunk for new events, to have that query contain a search macro that does the renaming before the events are ingested,
You could put your collect in an appendpipe in your alert search, something like this
<your search>
| appendpipe
[| rename x as y
| table y
| collect index=other
| where false()]
| fields - y
You could put your collect in an appendpipe in your alert search, something like this
<your search>
| appendpipe
[| rename x as y
| table y
| collect index=other
| where false()]
| fields - y
So to make sure I understand what's happening, we are modifying information in a separate summary, then using table to reveal that information, collecting that info. Once we break out of the appendpip, we then display the original fields.
If you don't mind me asking, what is the where false() for?
Almost - the table is to restrict the fields to just those you want in the summary index. The where false() is to remove the events that you have added to the summary index, otherwise you will effectively double the events you have returned by the search. The first half being the original events, and the second half being the events with the renamed fields.
Consider this
<your search>
| appendpipe
[]
This duplicates all your events!
You're awesome. But now I have a conundrum. The analysts do not like the fact that we added the collection at the end of the alert because now when they go to the splunk link they have accidentally kicked off more tickets because they didn't remove the collection before making modifications to the search to investigate an alert. Now I'm trying to figure out how I can collect, and rename fields, while also not impacting their search 😕
Hi @tr_newman,
why don't you use two different alerts, one for each system with its own field names?
Ciao.
Giuseppe
What ticketing system are you using? Are you trying to avoid modifying the saved search for the alert?