Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I see duplicate fields in sourcetype configuration?

atemourt
Engager
‎09-13-2018 01:46 AM

Hello Splunkers,

I am trying to configure a sourcetype in Advanced section.
For example, I create a field alias by creating the key/value:

alt text

When I perform search on the data, I see both MD5 and md5 fields to be extracted and containing the same values.
However, I want to see only md5 in Interesting fields.
Why do I see both fields?

Thank you in advance!
Afroditi

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎09-13-2018 02:52 AM

Hey @atemourt

Field aliases are an alternate name that you assign to a field allowing you to use that name to search for events that contain that field. A field can have multiple aliases, but a single alias can only apply to one field. For example, the field vendor_action can be aliased to action or message_type, but not both. An alias does not replace or remove the original field name.

So whatever you see on the Splunk UI is correct. You are creating an alias, not field so do not worry.
have a look at this field alias documentation:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Addaliasestofields

let me know if this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎09-13-2018 02:52 AM

Hey @atemourt

Field aliases are an alternate name that you assign to a field allowing you to use that name to search for events that contain that field. A field can have multiple aliases, but a single alias can only apply to one field. For example, the field vendor_action can be aliased to action or message_type, but not both. An alias does not replace or remove the original field name.

So whatever you see on the Splunk UI is correct. You are creating an alias, not field so do not worry.
have a look at this field alias documentation:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Addaliasestofields

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

atemourt
Engager
‎09-13-2018 03:19 AM

Hello mayurr98,

Thank you very much for your reply!

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...