https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446653#M7185 <P>I have installed the Suricata TA on my Splunk box. I am verifying that the data is flowing into the Intrusion Detection data model correctly.</P> <P>The Suricata TA has the following field alias:</P> <P>FIELDALIAS-suricata_global = proto AS transport src_ip AS src dest_ip AS dest</P> <P>The following search shows the values of the "src" field correctly, but the "dest" field has thousands of events where "dest" is "unknown":</P> <P>| datamodel Intrusion_Detection Network_IDS_Attacks search </P> <P>But if I run this search on the raw events, I only see events that don't have the "dest" field in them:</P> <P>sourcetype=suricata NOT dest=*</P> <P>Can anyone think of a reason why two fields defined in the same FIELDALIAS- command would only have one of them populate with the values correctly? Both the src_ip and dest_ip fields are in the events, but the data model can't see the values for dest/dest_ip for some reason...</P> Tue, 29 Sep 2020 20:30:19 GMT responsys_cm 2020-09-29T20:30:19Z https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446653#M7185 <P>I have installed the Suricata TA on my Splunk box. I am verifying that the data is flowing into the Intrusion Detection data model correctly.</P> <P>The Suricata TA has the following field alias:</P> <P>FIELDALIAS-suricata_global = proto AS transport src_ip AS src dest_ip AS dest</P> <P>The following search shows the values of the "src" field correctly, but the "dest" field has thousands of events where "dest" is "unknown":</P> <P>| datamodel Intrusion_Detection Network_IDS_Attacks search </P> <P>But if I run this search on the raw events, I only see events that don't have the "dest" field in them:</P> <P>sourcetype=suricata NOT dest=*</P> <P>Can anyone think of a reason why two fields defined in the same FIELDALIAS- command would only have one of them populate with the values correctly? Both the src_ip and dest_ip fields are in the events, but the data model can't see the values for dest/dest_ip for some reason...</P> Tue, 29 Sep 2020 20:30:19 GMT https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446653#M7185 responsys_cm 2020-09-29T20:30:19Z https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446654#M7186 <P>I should also add that when I ran | datamodel Certificates search, the dest field is populating properly in that datamodel.</P> <P>Neither datamodel is accelerated yet.</P> Tue, 17 Jul 2018 21:11:09 GMT https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446654#M7186 responsys_cm 2018-07-17T21:11:09Z https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446655#M7187 <P>Is alias' permission global?</P> Wed, 18 Jul 2018 05:27:39 GMT https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446655#M7187 HiroshiSatoh 2018-07-18T05:27:39Z https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446656#M7188 <P>I know its an old post but i had the same problem-<BR /> Solution was that i extracted all my fields using a delims transforms on a dedicated field extraction (basically the _raw event without header data). Now the datamodel was not aware of the underlying field extraction. Adding it as a field of the datamodel did the trick and all other fields showed up.</P> Tue, 12 Feb 2019 11:45:48 GMT https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446656#M7188 claudio_manig 2019-02-12T11:45:48Z https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446657#M7189 <P>I have the same problem Suricata 2.3.3: <BR /> FIELDALIAS-suricata_global = proto AS transport src_ip AS src dest_ip AS dest <BR /> The alias is not adding dest to the logs that are tagged with tag=attack OR tag=ids.</P> Wed, 30 Sep 2020 00:57:41 GMT https://community.splunk.com/t5/Reporting/Data-model-not-picking-up-field-alias/m-p/446657#M7189 zschmerber 2020-09-30T00:57:41Z