Getting Data In

FIELDALIAS from props.conf is not working

VatsalJagani
SplunkTrust
SplunkTrust

Below is my props.conf configuration:

[<some-sourcetype>]
FIELDALIAS-0_abc = field1 as field2
FIELDALIAS-pqr = field2 as field3
FIELDALIAS-xyz = field2 as field4

Current behavior:
- field1 and field2 are coming from REPORT.
- field1 and field2 are being extracted but not field3 and field4.
- I'm using Splunk 7.3.1 version.
- The FIELDALIAS works based on the lexicographic order of class names. So, 0 comes before p and x in lexicographical order it should correctly alias field3 and field4. This is what I'm expecting.

Can anyone tell me why it is not working? Is it expected? Is there any doc related to it?

I've some calculated fields (EVAL) based on field3 and field4, so I cannot extract field3 and field4 using EVAL as all EVAL executed in parallel. Is there any way I can solve the issue.

0 Karma

woodcock
Esteemed Legend

Splunk Knowledge Objects exist within user-defined, arbitrary, and unique instance-global namespaces (like AWS S3 buckets). One benefit of this is that for some KOs it allows Admins to control the order that they execute.

0 Karma

wmyersas
Builder

why add a new "answer" instead of adding to the one you already had?

0 Karma

woodcock
Esteemed Legend

Sometimes I don't realize that I have already answered.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

I agree with that. Do we get any benefit if they execute in order rather than in parallel? Specifically in the case of FIELDALIAS, because we cannot use field created by any other FIELDALIAS just like EVAL but in case of EVAL we get benefit on another side where we'll improve in speed because EVAL executes in parallel.
In that case if FIELDALIAS executes in order what benefit we are receiving?

0 Karma

wmyersas
Builder

There's also the stacking that can happen - you may have private (or app-local) FIELDALIAS statements that override the basic FIELDALIAS where your observed search behavior is different from mine

woodcock
Esteemed Legend

That is a good question.

0 Karma

woodcock
Esteemed Legend

Transitive aliasing is not allowed. You have to do it like this:

FIELDALIAS-0_abc = field1 as field2
FIELDALIAS-pqr = field1 as field3
FIELDALIAS-xyz = field1 as field4

Or you can use a calculated field like this (but this is a last resort as there are performance downsides to it):

FIELDALIAS-0_abc = field1 as field2
EVAL-field3 = coalesce(field3,  field2)
EVAL-field4 = coalesce(field4, field2)

VatsalJagani
SplunkTrust
SplunkTrust

I agree with the solution @woodcock.

0 Karma

woodcock
Esteemed Legend

Then come back here and click Accept to close the question.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

I still don't understand then why FIELDALIAS has <class> name in it and why it executes in lexicographical order?

woodcock
Esteemed Legend

This is a good question.

0 Karma

skalliger
SplunkTrust
SplunkTrust

Hi,

you can not do a field alias based on other field aliases. Take a look into the docs, under restrictions: Field aliasing.
What might help in your case, is the newer "ASNEW" option for field aliases. See under the props.conf specficiation.

Skalli

VatsalJagani
SplunkTrust
SplunkTrust

I got a solution to resolve my issue from @woodcock and @wmyersas.
Though I had a question where why this is not working which you have answered.
you can not do a field alias based on other field aliases.

But I don't understand then why FIELDALIAS has class name in it and why it executes in lexicographical order?
@skalliger, @woodcock, @wmyersas - In case you can answer this question?

0 Karma

wmyersas
Builder

It executes in lexicographical order because it has to execute in some order - and lexicographical is used everywhere else.

Also, there are some cases wehre you might want to alias different source fields to a new alias (eg they only show up in some (but not all) events).

For example, I had source data which sometimes had a username sometimes had a user and sometimes had a domainname.

But I wanted them all to be CIM-compliant, so I aliased username and domainname to user (of course, user didn't need to be aliased).

VatsalJagani
SplunkTrust
SplunkTrust

I agree. So, what I understand is I can write below field alias.

FIELDALIAS-a = username as user
FIELDALIAS-b = domainname as user

If "username" and "domainname" both have values then the final value of the "user" would be the same as "domainname" as it is overrides the value from "username" (as it has b which comes after a). If "domainname" is not available then the "user" value will be the same as "username".

Is this right?

wmyersas
Builder

That is exactly correct

0 Karma

woodcock
Esteemed Legend

Great point!!!

0 Karma

wmyersas
Builder

If you're going to alias field1 as field2 followed by field2 as field3, etc, why not just alias field1 as field2, field1 as field3, etc?

VatsalJagani
SplunkTrust
SplunkTrust

I agree with your solution @wmyersas. Thanks!!

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...