Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my field alias only applied for 1 of 2 fields specified in props.conf?

himapate
Explorer
‎06-29-2016 10:53 PM

Hi,

Trying to build a parser, but facing the below issue.

I extracted two fields from my logs: action_failed and action_success
Later, I gave them a field alias as below:

action_failed as action1 
action_success as action1

linked them to a lookup:

mylookup action1 OUTPUT action

The issue is that only one field is parsed, and that is the first one in my case action_failed, the other field is not picked. Is there any solution for this?

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎06-30-2016 02:24 AM

You are probably using the same class names in the field alias

if you use FIELDALIAS-action = on both only one will work.
try something like this:

FIELDALIAS-failed_action = action_failed as action1 
FIELDALIAS-success_action = action_success as action1
------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply

hgrow
Communicator
‎06-29-2016 11:02 PM

Hi himapate,

try to not use field alias . If you extract both fields (action_failed,action_success) manuelly you can achive the same result as the field alias just by extracting the same value into two fields. 

Regex 1: 

" ... (?<action1>(?<action_failed>....))..."

Regex 2:

" ... (?<action1>(?<action_success>....))..."

Hope it helps.

Greetings

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...