Knowledge Management
Highlighted

Is it possible to use one field alias for multiple fields?

Motivator

Hi,

is it possible to use one field alias for multiple fields?

For example I want to use field aliases to rename these fields to Z
A -> Z
B -> Z
C -> Z

Currently the renaming is not working correctly.

Thanks in advance
Heinz

Highlighted

Re: Is it possible to use one field alias for multiple fields?

Legend

As long as an event does not have more than one of the fields (A,B,C). If more than one field exists in an event, aliased field (Z) will take the values from the last entry in props.conf. So, for example if your props entry is `FIELDALIAS-multialias = A AS Z B AS Z C AS Z1, if an event has fields A and C, the aliased field Z will take value from field C

Highlighted

Re: Is it possible to use one field alias for multiple fields?

Motivator

The events do not have more than one the fields A, B, C. It seems, that sometimes Z is not extracted during the search

0 Karma
Highlighted

Re: Is it possible to use one field alias for multiple fields?

Legend

Field names are case sensitive. Make sure all events have the right case. The times when Z does not have a value, is it for a specific origin field. In other words, is it always for field A or B etc or is it random?

0 Karma
Highlighted

Re: Is it possible to use one field alias for multiple fields?

Motivator

All fields have the right case. Sometimes it works as intended, for example when I use a short timerange or only a few different events. But on the other hand, after searching more events, Z is empty for events where it worked before.

0 Karma
Highlighted

Re: Is it possible to use one field alias for multiple fields?

SplunkTrust
SplunkTrust

I would also suggest to look at creating "Calculated fields" using an eval functions like coalesce.

In props.conf
[<stanza>]
EVAL-Z = coalesce(A,B,C)

http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/definecalcfields

View solution in original post

Highlighted

Re: Is it possible to use one field alias for multiple fields?

Motivator

Good point, that would be a possible workaround. But I think this approach is more expensive than field aliases, am I correct?

0 Karma