Hi,
I'm trying to get to grips with CIM and am getting there slowly, however, I hit a snag that I can't seem to get around and it makes one of my field extraction result 'ugly'!!
I've got a load of events from different sources in my `eventtype="Authenticate"` type. In nearly every case, I've had to create a dynamic field extraction called `action` ( as per the CIM model name ) for the `Success/Fail` status. So far so good.
I've started ingesting another `Authentication` type log which, unfortunately contains the KV field - `action=some_unique_string`
Is there any way that I can get Splunk to either ignore this KV or change the key to something other than `action` so that I can use my own `action` field extraction?
Thanks, Mark.
↧