Getting Data In
Highlighted

FIELDALIAS from props.conf is not working

Motivator

Below is my props.conf configuration:

[<some-sourcetype>]
FIELDALIAS-0_abc = field1 as field2
FIELDALIAS-pqr = field2 as field3
FIELDALIAS-xyz = field2 as field4

Current behavior:
- field1 and field2 are coming from REPORT.
- field1 and field2 are being extracted but not field3 and field4.
- I'm using Splunk 7.3.1 version.
- The FIELDALIAS works based on the lexicographic order of class names. So, 0 comes before p and x in lexicographical order it should correctly alias field3 and field4. This is what I'm expecting.

Can anyone tell me why it is not working? Is it expected? Is there any doc related to it?

I've some calculated fields (EVAL) based on field3 and field4, so I cannot extract field3 and field4 using EVAL as all EVAL executed in parallel. Is there any way I can solve the issue.

0 Karma
Highlighted

Re: FIELDALIAS from props.conf is not working

Builder

If you're going to alias field1 as field2 followed by field2 as field3, etc, why not just alias field1 as field2, field1 as field3, etc?

Highlighted

Re: FIELDALIAS from props.conf is not working

Motivator

I agree with your solution @wmyersas. Thanks!!

0 Karma
Highlighted

Re: FIELDALIAS from props.conf is not working

SplunkTrust
SplunkTrust

Hi,

you can not do a field alias based on other field aliases. Take a look into the docs, under restrictions: Field aliasing.
What might help in your case, is the newer "ASNEW" option for field aliases. See under the props.conf specficiation.

Skalli

Highlighted

Re: FIELDALIAS from props.conf is not working

Motivator

I got a solution to resolve my issue from @woodcock and @wmyersas.
Though I had a question where why this is not working which you have answered.
you can not do a field alias based on other field aliases.

But I don't understand then why FIELDALIAS has class name in it and why it executes in lexicographical order?
@skalliger, @woodcock, @wmyersas - In case you can answer this question?

0 Karma
Highlighted

Re: FIELDALIAS from props.conf is not working

Builder

It executes in lexicographical order because it has to execute in some order - and lexicographical is used everywhere else.

Also, there are some cases wehre you might want to alias different source fields to a new alias (eg they only show up in some (but not all) events).

For example, I had source data which sometimes had a username sometimes had a user and sometimes had a domainname.

But I wanted them all to be CIM-compliant, so I aliased username and domainname to user (of course, user didn't need to be aliased).

Highlighted

Re: FIELDALIAS from props.conf is not working

Motivator

I agree. So, what I understand is I can write below field alias.

FIELDALIAS-a = username as user
FIELDALIAS-b = domainname as user

If "username" and "domainname" both have values then the final value of the "user" would be the same as "domainname" as it is overrides the value from "username" (as it has b which comes after a). If "domainname" is not available then the "user" value will be the same as "username".

Is this right?

Highlighted

Re: FIELDALIAS from props.conf is not working

Esteemed Legend

Great point!!!

0 Karma
Highlighted

Re: FIELDALIAS from props.conf is not working

Builder

That is exactly correct

0 Karma
Highlighted

Re: FIELDALIAS from props.conf is not working

Esteemed Legend

Transitive aliasing is not allowed. You have to do it like this:

FIELDALIAS-0_abc = field1 as field2
FIELDALIAS-pqr = field1 as field3
FIELDALIAS-xyz = field1 as field4

Or you can use a calculated field like this (but this is a last resort as there are performance downsides to it):

FIELDALIAS-0_abc = field1 as field2
EVAL-field3 = coalesce(field3,  field2)
EVAL-field4 = coalesce(field4, field2)