topic Re: Using Field Aliases in Splunk Search

Using Field Aliases

olavo123 — Mon, 28 Sep 2020 15:13:59 GMT

Just a small query: Lets say I need to find all values in one field in the access_logs matching values in some other fields:

For example a search like this:

Sourcetype="My_Custom_sourcetype" departure_city = return_city ...and so on..

We want to find all errors where the departure city and return city are the same.

Above we want to look at all values where dep_city equal values in return_city field. In SQL we normally use aliases for such joins. I have tried using FIELDALIAS but it does not seem to work. Would appreciate any help. Thanks.

Re: Using Field Aliases

crt89 — Fri, 08 Nov 2013 06:20:58 GMT

You should set what host/source/sourcetype you want to define your field alias
Then set something like this:
let say departure_city is on host1 and return_city is on host2

host=host1
departure_city = my_city_alias

create another one for return_city on host2

host=host2
return_city = my_city_alias

in your search:

host=host1 OR host=host2 my_city_alias="Some City"

This should return events with departure_city and return_city that are the same.
Hope this helps.

Re: Using Field Aliases

somesoni2 — Fri, 08 Nov 2013 15:51:44 GMT

I had a similar requirement and following worked for me:

Change

Sourcetype="My_Custom_sourcetype"  departure_city = return_city

Sourcetype="My_Custom_sourcetype" |where departure_city = return_city

Re: Using Field Aliases

olavo123 — Fri, 08 Nov 2013 16:20:23 GMT

Thanks so much. You are awesome.

Re: Using Field Aliases

olavo123 — Fri, 08 Nov 2013 16:26:26 GMT

Thanks for the answer. This query is useful, if we are looking for pairs given a particular city, But in my case, I want to do it for all combinations.