Solved: Field Alias: Created multiple but only a few showi...

adalbor · ‎01-21-2020

Hey All,

I created multiple field aliases for multiple sourcetypes and for each sourcetype I am only seeing a few of each created field aliases in my search results.

I checked all my search heads and they all have the aliases in their props.conf (created via GUI) and they all have global permissions.

Is there anything else I can check to see why this might be occurring?

For example:
Here is the stanza in props.conf for one of them
[WinEventLog]
FIELDALIAS-sn_ms_def_compname = ComputerName ASNEW sn_ms_def_compname
FIELDALIAS-sn_ms_def_detectsrc = Detection_Source ASNEW sn_ms_def_detectsrc
FIELDALIAS-sn_ms_def_evtcd = EventCode ASNEW sn_ms_def_evtcd
FIELDALIAS-sn_ms_def_message = EventDescription ASNEW sn_ms_def_message

In search the only field alias not showing up is the sn_ms_def_message

I have multiple other stanzas with the same behavior, some but not all of the field aliases will be in the search results.

adalbor · ‎01-30-2020

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

View solution in original post

adalbor · ‎01-30-2020

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

Field Alias: Created multiple but only a few showing up

alias

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash