Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why a cloned field alias does not work as the original despite having identical permissions and app context?

att35
Builder
‎02-10-2017 06:51 AM

Hi,

Trying to map fields from eStreamer data to the ones needed by IDS data model. One of the fields which comes from Sourcefire is "priority" for which there is an existing field alias ( priority -> severity_id), which works fine.

Since CIM needs the field name to be 'severity', I cloned another field alias ( priority -> severity) from the existing and made sure that it has global permission and is part of the TA for sourcefire, same as the field alias for "severity_id".

Still, only severity_id is working but not the one newly created for "severity". Also tried creating the same on indexer but it didn't work. Here is a screenshot showing both the aliases.

alt text

Please advise.

Thanks,

Preview file
1 KB
0 Karma
Reply

neelamsantosh
Path Finder
‎05-15-2018 08:47 PM

check the props and make sure Field alias is happening only after the Fields extraction

cmd:
/opt/splunk/bin/splunk cmd btool props list --debug|grep

0 Karma
Reply

dsrvern
Explorer
‎11-02-2017 06:22 AM

Hi abhijittikekar,

I'm also experiencing problems with field aliases. Did you ever find a solution to this issue?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...