Renaming fields
Craig Merchant
cmerchant at responsys.com
Sat Feb 23 19:36:42 EST 2013
We're using Splunk as our SEIM and flow analysis tool. They have a "Common Information Model" that standardizes a lot fields found in different types of event data (dest_port, dest_country, duration, etc.).
We're having racluster connect to radium for five minutes and write the results to a table that we can import into Splunk for analysis. So, I've got to be able to import that data and run all of my analysis queries within five minutes. There is a "rename" command in Splunk that I can use to rename the fields, but my research has shown that command takes almost as long to run as the data import (30-45 seconds).
The most efficient thing to do is probably just pipe the racluster output to sed and rewrite the header row. I was just curious if there was an easy, one-time change I could make that would achieve the same effect.
Thx.
Craig
From: Carter Bullard [mailto:carter at qosient.com]
Sent: Saturday, February 23, 2013 10:32 AM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Renaming fields
Hmmm, renaming the fields? Not thinking that is a good thing.
What do you want to rename?
Carter
On Feb 22, 2013, at 8:55 PM, Craig Merchant <cmerchant at responsys.com<mailto:cmerchant at responsys.com>> wrote:
Is it possible to modify the names of the fields that ra clients output?
Thx. I hope you're feeling better, Carter!
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130224/28bc9449/attachment.html>
More information about the argus
mailing list