https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/561020#M5112 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/57946">@torowa</a>&nbsp;<BR /><BR />Can you try the below solution:</P><LI-CODE lang="markup">| rest /services/data/props/fieldaliases | rename title as Name, value as "Field aliases", eai:acl.app as App, eai:acl.owner as Owner, stanza as "Source Type" | table Name "Field aliases" App Owner "Source Type"</LI-CODE><P>I observed that even if we mention source type the fields are coming. Additionally, the pattern in the Name field is &lt;<SPAN>stype&gt;: FIELDALIAS-&lt;class&gt;</SPAN><BR /><BR />Can you try the above solution?</P><P>If it's still not working can you check whether the mentioned configurations in your props are working?</P> Tue, 27 Jul 2021 12:54:17 GMT jhanvidattani 2021-07-27T12:54:17Z https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/558643#M5096 <P>Hi Splunkers.<BR /><SPAN>I'm trying to troubleshoot an issue with field aliases based on a particular sourcetype.</SPAN></P><P>1) Field alias was configured in SplunkWeb as the follows (modified for privacy reasons):</P><P><SPAN>Name_Mode:Type_of_access:SECURED : FIELDALIAS-Mode_extract_for_web<BR /></SPAN><SPAN>(</SPAN><STRONG>Name_Mode:Type_of_access:SECURED</STRONG><SPAN>&nbsp;is the sourcetype.)</SPAN><SPAN><BR /></SPAN></P><P><SPAN>uri = uri_path.</SPAN><SPAN><BR /></SPAN></P><P>2) If I run the following, it lists the alias definition correctly:<BR /><SPAN>| rest /services/data/props/fieldaliases<BR /></SPAN>| rename title as Name, value as "Field aliases", eai:acl.app as App, eai:acl.owner as Owner<BR />| table Name "Field aliases" App Owner</P><P>3)&nbsp;When searching specifically for that sourcetype, the events are returned but without the field alias.<BR />The sourcetype has multiple colons in the name.&nbsp; I can't see that causing the alias to fail as there are other field aliases used against similarly-named sourcetypes (in other apps) that are working without issue.</P><P>It is running on a SH cluster.&nbsp; Splunk is v8.02<BR />Permissions for alias is "All apps" with read for Everyone.</P><P>"uri" field is an inline field extraction.<BR /><SPAN>Search-time operation order puts inline field extraction (1st) ahead of&nbsp;</SPAN><SPAN>field aliasing operations (4th). (<A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/Searchtimeoperationssequence" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/Searchtimeoperationssequence</A>)</SPAN></P><P><SPAN>... so I don't see this being a <SPAN>Search-time operation issue</SPAN>.&nbsp; Any ideas where else to check?</SPAN></P><P>Apologies if the above is not clear due to the obfuscation.<BR />Let me know if you need clarification.</P><P>Thanks,</P> Thu, 08 Jul 2021 06:24:15 GMT https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/558643#M5096 torowa 2021-07-08T06:24:15Z https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/558773#M5097 <P>Upon further digging, this seems to be related to when using the sourcetype in the definition.</P><P>If I set the definition up using a host name, the field alias works.<BR />If it is set up using the sourcetype, the field alias doesn't get set.<BR /><BR />If I copy the sourcetype from the definition and manually search on it, I get events of that sourcetype.&nbsp; i.e. The sourcetype as used in the definition is correct.</P><P>Also, as the sourcetype is one of the default fields, I wouldn't expect a definition that uses a sourcetype to be affected by the sequence of search-time operations.</P><P>Any other suggestions?</P><P>Thanks.</P> Fri, 09 Jul 2021 01:00:06 GMT https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/558773#M5097 torowa 2021-07-09T01:00:06Z https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/561020#M5112 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/57946">@torowa</a>&nbsp;<BR /><BR />Can you try the below solution:</P><LI-CODE lang="markup">| rest /services/data/props/fieldaliases | rename title as Name, value as "Field aliases", eai:acl.app as App, eai:acl.owner as Owner, stanza as "Source Type" | table Name "Field aliases" App Owner "Source Type"</LI-CODE><P>I observed that even if we mention source type the fields are coming. Additionally, the pattern in the Name field is &lt;<SPAN>stype&gt;: FIELDALIAS-&lt;class&gt;</SPAN><BR /><BR />Can you try the above solution?</P><P>If it's still not working can you check whether the mentioned configurations in your props are working?</P> Tue, 27 Jul 2021 12:54:17 GMT https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/561020#M5112 jhanvidattani 2021-07-27T12:54:17Z https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/561280#M7340 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236777">@jhanvidattani</a>, formatting was due to a transcription error as had to redact content from the definition names.</P><P>This seems to have sorted itself out (by itself unfortunately) after a few days.<BR /><SPAN>Perhaps this was related to a SH cluster member not having fully received the KO bundle.<BR /></SPAN></P><P><SPAN>When testing on different cluster members accessed directly, it works fine.<BR />When trying on a particular cluster member directly the issue occurs again.</SPAN></P><P>It has subsequently started working on the recalcitrant server.</P> Thu, 29 Jul 2021 03:58:39 GMT https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/561280#M7340 torowa 2021-07-29T03:58:39Z https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/561285#M7396 <P>Hi&nbsp;@towara,</P><P>This kind of issue generally happens because of the sequence of search time operation shown here:</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/Searchtimeoperationssequence#Search-time_operation_sequence" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/Searchtimeoperationssequence#Search-time_operation_sequence</A></P><P>The aliasing operation happens 4th, and therefore cannot be applied on calculated fields, lookups fields, eventtypes or tags.&nbsp;</P><P>Could you please confirm that the field you are trying to alias (uri_path) created before the aliasing happens in the sequence ?</P><P>Cheers,</P><P>David</P> Thu, 29 Jul 2021 05:45:11 GMT https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/561285#M7396 DavidHourani 2021-07-29T05:45:11Z https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/561286#M7402 <P><SPAN>While I understand the importance of search time operations, I don't believe this to be the cause.</SPAN></P><P><SPAN>The field aliases were operating against in-line extracted fields.</SPAN></P><P><SPAN>eSearch-time operation order puts inline field extraction (1st) ahead of&nbsp;</SPAN><SPAN>field aliasing operations (4th).</SPAN></P> Thu, 29 Jul 2021 05:51:50 GMT https://community.splunk.com/t5/Knowledge-Management/Field-Alias-by-sourcetype-not-working/m-p/561286#M7402 torowa 2021-07-29T05:51:50Z