Knowledge Management

Is it possible to use one field alias for multiple fields?

HeinzWaescher
Motivator

Hi,

is it possible to use one field alias for multiple fields?

For example I want to use field aliases to rename these fields to Z
A -> Z
B -> Z
C -> Z

Currently the renaming is not working correctly.

Thanks in advance
Heinz

1 Solution

somesoni2
Revered Legend

I would also suggest to look at creating "Calculated fields" using an eval functions like coalesce.

In props.conf
[<stanza>]
EVAL-Z = coalesce(A,B,C)

http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/definecalcfields

View solution in original post

somesoni2
Revered Legend

I would also suggest to look at creating "Calculated fields" using an eval functions like coalesce.

In props.conf
[<stanza>]
EVAL-Z = coalesce(A,B,C)

http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/definecalcfields

HeinzWaescher
Motivator

Good point, that would be a possible workaround. But I think this approach is more expensive than field aliases, am I correct?

0 Karma

sundareshr
Legend

As long as an event does not have more than one of the fields (A,B,C). If more than one field exists in an event, aliased field (Z) will take the values from the last entry in props.conf. So, for example if your props entry is `FIELDALIAS-multialias = A AS Z B AS Z C AS Z1, if an event has fields A and C, the aliased field Z will take value from field C

HeinzWaescher
Motivator

The events do not have more than one the fields A, B, C. It seems, that sometimes Z is not extracted during the search

0 Karma

sundareshr
Legend

Field names are case sensitive. Make sure all events have the right case. The times when Z does not have a value, is it for a specific origin field. In other words, is it always for field A or B etc or is it random?

0 Karma

HeinzWaescher
Motivator

All fields have the right case. Sometimes it works as intended, for example when I use a short timerange or only a few different events. But on the other hand, after searching more events, Z is empty for events where it worked before.

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...