Hi,
is it possible to use one field alias for multiple fields?
For example I want to use field aliases to rename these fields to Z
A -> Z
B -> Z
C -> Z
Currently the renaming is not working correctly.
Thanks in advance
Heinz
I would also suggest to look at creating "Calculated fields" using an eval functions like coalesce.
In props.conf
[<stanza>]
EVAL-Z = coalesce(A,B,C)
http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/definecalcfields
I would also suggest to look at creating "Calculated fields" using an eval functions like coalesce.
In props.conf
[<stanza>]
EVAL-Z = coalesce(A,B,C)
http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/definecalcfields
Good point, that would be a possible workaround. But I think this approach is more expensive than field aliases, am I correct?
As long as an event does not have more than one of the fields (A,B,C). If more than one field exists in an event, aliased field (Z) will take the values from the last entry in props.conf. So, for example if your props entry is `FIELDALIAS-multialias = A AS Z B AS Z C AS Z1, if an event has fields A and C, the aliased field Z will take value from field C
The events do not have more than one the fields A, B, C. It seems, that sometimes Z is not extracted during the search
Field names are case sensitive. Make sure all events have the right case. The times when Z does not have a value, is it for a specific origin field. In other words, is it always for field A or B etc or is it random?
All fields have the right case. Sometimes it works as intended, for example when I use a short timerange or only a few different events. But on the other hand, after searching more events, Z is empty for events where it worked before.