I’ve had this topic come up in several technical conversations lately, so I thought I would blog about it now.

Situation: You have two different source types containing common key field values, but the actual name of the field itself is different within each of the source types.

Question: How do you produce a report within Splunk that correlates all of these fields values together under one normalized field name?

Answer: Use the new FIELDALIAS and EXTRACT features included with Splunk 4.0 to normalize the field name at search-time.

Example: Let’s suppose you have two different types of call detail records, each containing a number that represents the total duration in seconds that someone is on a phone call.

One CDR event looks like this:

TELCOE,2.1,7e197787-655330a9-7a458301-70845177@12.13.20.20,,0,,H,,S,,sip:7622550@127.10.15.17:5050, sip:5558889999@120.10.20.20:55555,TELCO:Dallas,TX,0,sip:7622555@110.130.52.25:5050,NORTH:NORTH,200,0
,1,0,1,0,08/02/2009:05:03:21,08/02/2009:02:03:22,92,UNKNOWN,0,0

and the other CDR record looks like this:

TIME=20090802104826865|CHAN:332|SESSIONID:100102345|CALLDURATION:93|CALLINGNUM:5558431297|
CALLEDNUM:5559903894|UNIQID:8948373827100002938847889873474893

Now, let’s take a look at the Splunk configuration files to index these source types and extract the call duration values out into fields.

inputs.conf
[monitor:///$SPLUNK_HOME/etc/apps/cdr/logs/CDR.txt]
sourcetype= cdr_log

[monitor:///$SPLUNK_HOME/etc/apps/cdr/logs/cdr2.txt]
sourcetype= cdr2_log

props.conf
[cdr_log]
EXTRACT-calldur = ^.*?:\d\d:\d\d:\d\d,(?<callDuration>\d+),\w+,\d+\.\d+\.\d+\.\d+,

[cdr2_log]
REPORT-cdr2 = cdr2-kvpairs

transforms.conf
[cdr2-kvpairs]
DELIMS = “|”, “:”