https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437323#M7889 <P>Thanks for this - We have just found the same issue. Oh joy!</P> Fri, 08 Feb 2019 02:21:13 GMT Melstrathdee 2019-02-08T02:21:13Z https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437319#M7885 <P>Hi,<BR /> I checked my app on version 7.2.0 and I found incorrect behavior.<BR /> I exported my log file both to Splunk Enterprise 7.1.2 and 7.2.0.<BR /> In version 7.1.2 everything works as expected but in 7.2.0 I noticed that for some reason (which I really have no idea) one field inside the log ("action") is missing from extracted fields.<BR /> The method for extracting fields is regex based on key-value pairs.</P> <P>The mapping was not changed at all and the app is exactly the same.<BR /> When I add another field aliases from the missing field into new filed ("action_test"), I can see the new field in the extracted fields on search view but not the original field.</P> <P>Is anyone have any idea about it?</P> <P>Thank you</P> Thu, 18 Oct 2018 04:36:26 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437319#M7885 shayhibah 2018-10-18T04:36:26Z https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437320#M7886 <P>FIELDALIAS behavior change in 7.2:<BR /> FIELDALIAS for a specific field overwrites the field value, regardless of whether it is NULL or not. In earlier versions, FIELDALIAS did NOT overwrite the value in case of NULL.</P> <P>Solution to this is to use COALESCE:</P> <P>FIELDALIAS-s_computername = s_computername as host<BR /> should be something like <BR /> EVAL-host=coalesce(s_computername, host)</P> Tue, 29 Sep 2020 21:56:51 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437320#M7886 mreynov_splunk 2020-09-29T21:56:51Z https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437321#M7887 <P>This is not the same, and can cause other problems "down stream". If for example you use that alias field in a EVAL you can not do that anymore.<BR /> The below (super simplified) example will not work anymore:</P> <P>_raw data1: "2018-12-06 15:54:00 Account_Name=arnold sid=123 message=bla" <BR /> _raw data2: "2018-12-06 15:54:00 user=arnold sid=123 message=bla" </P> <P>FIELDALIAS-user = user AS Account_Name<BR /> EVAL-userid = case(isnotnull(user),user, isnotnull(sid),sid)</P> <P>in data1 you will miss the Account_Name field even though it is in the data, this cannot be solved with evals in this manner:<BR /> EVAL-user = coalesce(Account_Name, user)<BR /> EVAL-userid = case(isnotnull(user),user, isnotnull(sid),sid)</P> <P>Because according to the props.conf spec file:<BR /> * When multiple EVAL-* statements are specified, they behave as if they are run in parallel, rather than in any particular sequence.<BR /> * For example say you have two statements: EVAL-x = y*2 and EVAL-y=100. In this case, "x" will be assigned the original value of "y * 2," not the value of "y" after it is set to 100.</P> <P>So in my opinion this is a major breaking change in the way 7.2.x works, and there is no mentioning of it in any doc (spec file/release notes/known issues/.....)</P> Tue, 29 Sep 2020 22:21:48 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437321#M7887 aholzel 2020-09-29T22:21:48Z https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437322#M7888 <P>Found a similar problem in the Splunk_TA_microsoft-iis app.<BR /> In the default props.conf they do this:</P> <BLOCKQUOTE> <PRE><CODE>FIELDALIAS-s_computername = s_computername as host </CODE></PRE> <P>If s_computername is not found in the event, I no longer have a host field in my event.</P> </BLOCKQUOTE> <P>This behavior popped up after the upgrade from 6.5 to 7.2.<BR /> Disabling this alias does the trick for me because all events come from a forwarder on the server itself, so I did an overwrite of the alias in the local folder like this:</P> <BLOCKQUOTE> <PRE><CODE>FIELDALIAS-s_computername = </CODE></PRE> </BLOCKQUOTE> Tue, 29 Sep 2020 22:55:11 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437322#M7888 deangoris 2020-09-29T22:55:11Z https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437323#M7889 <P>Thanks for this - We have just found the same issue. Oh joy!</P> Fri, 08 Feb 2019 02:21:13 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437323#M7889 Melstrathdee 2019-02-08T02:21:13Z https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437324#M7890 <P>Hi there, we had the same issue ever since we jumped into 7.2.3 from 7.0.3. For an example on Proxy TA props.conf we had aliases configured such as below. </P> <P>FIELDALIAS-http_referrer = cs_Referer as http_referrer<BR /> FIELDALIAS-user_agent = cs_User_Agent as http_user_agent</P> <P>But on transforms.conf had the field alias instead of the actual field name - something like below. </P> <P>REGEX = (?\d{4}-\d{2}-\d{2})\s+(?[^\s]+) ... (?-|\S+)\ ... (?\S+) ...</P> <P>By changing the RegEx to actual field name was fixed this issue and Splunk support will update their release notes under SPL-166565 stating that the field extraction is more restrictive on 7.2.3.</P> Tue, 29 Sep 2020 23:17:48 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437324#M7890 dwickram 2020-09-29T23:17:48Z https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437325#M7891 <P>Do you mean to say to use the coalesce in place of the fieldalias definition?</P> Fri, 06 Dec 2019 17:06:45 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-7-2-0-Field-Aliases-incorrect-behavior/m-p/437325#M7891 sarmstrong_splu 2019-12-06T17:06:45Z