Knowledge Management

Field Alias: Created multiple but only a few showing up

adalbor
Builder

Hey All,

I created multiple field aliases for multiple sourcetypes and for each sourcetype I am only seeing a few of each created field aliases in my search results.

I checked all my search heads and they all have the aliases in their props.conf (created via GUI) and they all have global permissions.

Is there anything else I can check to see why this might be occurring?

For example:
Here is the stanza in props.conf for one of them
[WinEventLog]
FIELDALIAS-sn_ms_def_compname = ComputerName ASNEW sn_ms_def_compname
FIELDALIAS-sn_ms_def_detectsrc = Detection_Source ASNEW sn_ms_def_detectsrc
FIELDALIAS-sn_ms_def_evtcd = EventCode ASNEW sn_ms_def_evtcd
FIELDALIAS-sn_ms_def_message = EventDescription ASNEW sn_ms_def_message

In search the only field alias not showing up is the sn_ms_def_message

I have multiple other stanzas with the same behavior, some but not all of the field aliases will be in the search results.

Labels (1)
0 Karma
1 Solution

adalbor
Builder

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

View solution in original post

0 Karma

adalbor
Builder

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...