Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Some fields not resolving to alias
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some fields not resolving to alias
I have just set up a splunk server (so I'm not quite sure what I'm doing yet) on its own virtual machine. On another machine running Nagios, I have installed a lightweight forwarder. On the splunk indexing server, I have also installed the SplunkForNagios app. SplunkForNagios has several fields configured that I would like to reference as the same field. For example, there's a servicestatus field:
EXTRACT-servicestatus = .+CURRENT SERVICE STATE\:[^;]+;[^;]+;(?P<servicestatus>[^;]*)(?=;)
a status field:
EXTRACT-status = .+SERVICE ALERT\:[^;]+;[^;]+;(?P<status>[^;]*)(?=;)
and a statusnotification field: EXTRACT-statusnotification = .+SERVICE NOTIFICATION\:[^;]+;[^;]+;[^;]+;(?P[^;]*)(?=;)
From my understanding, the correct way of doing this would be to create an alias to reference these three field. So, using the web frontend, I created the alias nagios_status which gave me the following in my configuration file:
FIELDALIAS-nagios_status = servicestatus AS nagios_status status AS nagios_status statusnotification AS nagios_status
I created nagios_status under the SplunkForNagios app, but made it globally available. Now, when I do a search for nagios_status="OK", I get 8 results, 6 of which are status and 2 of which are statusnotification. However, status="OK" returns 11, statusnotifcation="OK" returns 2, and servicestatus="OK" returns 118.
As an example, Splunk says that this log entry contains a value for "nagios_status":
[1288808908] SERVICE ALERT: vm-centos2;yum_updates_nrpe;OK;SOFT;2;YUM OK: 0 Security Updates Available
But this one does not:
[1288765588] SERVICE ALERT: vm-centos2;yum_updates_nrpe;OK;SOFT;2;YUM OK: 0 Security Updates Available
Why are some of these working but not others?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks like it's still an issue. I'm trying to to do search time field ALIAS and can't get one to work.
Here's the setup..
FIELDALIAS-social = text as socialPost comment_text as socialPost message as socialPost **status** as socialPost
the status filed will not show up at search time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi averyml,
The best way to achieve this is to create a number of transforms:
1/ add a new REPORT type to $SPLUNK_HOME/etc/apps/SplunkForNagios/local/props.conf under the sourcetype called [nagios]
REPORT-nagios_status = status servicestatus statusnotification
2/ add three new entries to $SPLUNK_HOME/etc/apps/SplunkForNagios/local/transforms.conf
[status]
REGEX = .+SERVICE ALERT\:[^;]+;[^;]+;(?P<nagios_status>[^;]*)(?=;)
[servicestatus]
REGEX = .+CURRENT SERVICE STATE\:[^;]+;[^;]+;(?P<nagios_status>[^;]*)(?=;)
[statusnotification]
REGEX = .+SERVICE NOTIFICATION\:[^;]+;[^;]+;[^;]+;(?P<nagios_status>[^;]*)(?=;)
3/ Click on the "splunk> SplunkForNagios" logo at the top right of the gui to reload the config files (if using Splunk v 4.2.x, or restart splunk if using v 4.1.x or earlier)
4/ Re-run your search and choose 'nagios_status' from the field picker and click "Select/show in results"
Note: I wrote Splunk for Nagios and am currently applying knowledge management to the app, it will be compliant with the Common Information Model in v1.1 due in May.
A couple of the benefits to making the app CIM compliant include:
1/ common field names; eg. src_host, reason, result.
2/ easier to correlate events.
FYI: existing field names remains the same.
http://www.splunk.com/base/Documentation/latest/Knowledge/UnderstandandusetheCommonInformationModel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having the exact same problem - I have several different fields (extracted from various log row formats), that serve essentially the same purpose. When I alias all 3 to the same name the results become unpredictable - some rows have the aliased name, most do not. The distinction seems completely arbitrary.
Ddi you find a solution for this problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing the same problem here, and its quite contradict to what splunk promise about correlation 😞
Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
