- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- FieldAlias Setup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to setup Fieldalias and not getting desire results. Here is what I have put into the props.conf file.
FIELDALIAS = acct AS account
FIELDALIAS = User_Name AS account
Am I missing something??
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your second FIELDALIAS statement will override the first.
Try adding an extension so that you have two unique entries:
FIELDALIAS-acct = acct AS account
FIELDALIAS-username = User_Name AS account
Alternately, you can have both aliases in a single line. If you go that route, you will still override any previously defined value for FIELDALIAS=, so it's still a good idea to add a qualifier as shown above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, field aliasing is one-to-one, and won't allow you to map many-to-one. The reason is that if orig_field doesn't exist, a blank value will be assigned to new_field.
Consider an event that has only the acct field. Both FIELDALIAS directives will be evaluated. Lexicographically, FIELDALIAS-acct runs first and successfully aliases acct as account. But when FIELDALIAS-username runs it finds no User_Name field, so the result is the account field will be blank.
There are two ways to work around this.
Use props.conf:
REPORT-alias_account = acct_as_account,User_Name_as_accountand transforms.conf:
[acct_as_account] SOURCE_KEY = acct REGEX = (?<account>.+) [User_Name_as_account] SOURCE_KEY = User_Name REGEX = (?<account>.+)Use the search language:
| eval account= IF(ISNULL(acct),User_Name,acct)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your second FIELDALIAS statement will override the first.
Try adding an extension so that you have two unique entries:
FIELDALIAS-acct = acct AS account
FIELDALIAS-username = User_Name AS account
Alternately, you can have both aliases in a single line. If you go that route, you will still override any previously defined value for FIELDALIAS=, so it's still a good idea to add a qualifier as shown above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the assistance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will have to be in a stanza that matches the sourcetype (or host, or source) for which you want to set the field alias. Other than that, it doesn't matter as long as it's a unique entry as above. If it's non-unique, then you have to worry about precedence rules, since another entry could override it (possibly from a different app). Also, I'm assuming you're only trying to use it within the search app -- if you need it across multiple apps you'll need to check the permissions and make sure it's set to global.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does it matter where in the props.conf file I input the FIELDALIAS information?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
