I would like to create aliases for fields that map to Splunk's Common information Model, so I go to Settings >> Fields >> Field aliases and enter the relevant information to map a field named HTTPRCode to the alias of status.
I tried entering * in the "apply to sourcetype named" field and when I ran a quick query of index=main | where status=200, no events were returned. I then deleted that field alias, created a new one, and entered a specific sourcetype name instead of *, and when I ran the query, events were returned.
If I have multiple sourcetypes that have the HTTPRCode field, do I need to create a field alias for each sourcetype, or is there a way to create one alias for HTTPRCode that applies to all sourcetypes that have that field?
The sourcetype specifier is a type of regex, so you could make the field alias something like (sourcetype1)|(sourcetype2), or if you truly want it to apply to all sourcetypes (probably not, except if you set the alias to only be shared in a specific app), it should work with e.g. *.
<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an event.
3. source::<source>, where <source> is the source, or source-matching pattern, for an event.
In that case I don't think there's a solution using aliases, unless your sourcetypes match your sources in some predictable way (in which case you can use wildcards in your fieldalias stanza).
So in short, yes, you need to create an alias for each sourcetype if you want the same alias for different sourcetypes
I identified two different sourcetypes as having the HTTPRCode field. I changed the permission for sharing the alias from "private" to "Global" (and double checked to make sure 'Object should appear in' is set to 'All apps') and then ran the following query:
index=main sourcetype=sourcetype1 OR sourcetype=sourcetype2 status=200
and only the sourcetype in which the field alias was created for is being returned.
Am I not setting the permissions in the correct place?
And thx for the reminder on best search practices...