I created a field alias via the UI -
I made it global and under $SPLUNK_HOME/etc/apps/<app name>/local/props.conf
, we see -
[<sourcetype>]
FIELDALIAS-test2 = status ASNEW aaaaaa
When searching - index=<index_name> sourcetype="<sourcetype>" status=*
the field aaaaaa
dones't show up.
What do I miss?
Hi @danielbb ,
Syntax for defining FIELDALIAS
is incorrect. It should be,
[<sourcetype>]
FIELDALIAS-test2 = status AS aaaaaa
Refer to the document, https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Configurefieldaliaseswithprops.conf
As you have configured it from the UI this should not be the case. Which Splunk version you are using?
May be your FIELDALIAS created from UI is being ignored by any manually added FIELDALIAS for same sourcetype with same name.
UPDATE
From version 7, FIELDALIAS created from web are store with ASNEW
keyword.
As per the documentation, creating FIELDALIAS with props.conf AS
keyword is used in definition.
But both will work.
Perfect. I made the changes. Do I need to bounce the SH?
If its standalone search head, you can refresh configuration without restart by, goto
‘https://splunk_host:8000/en-US/debug/refresh/‘ and hit Refresh button.
I ran it and reports back about field aliasing saying - Refreshing admin/fieldaliases OK
But the action
field is not available.
what do you mean by action
field is not available?
Sorry, the mapping reads now -
FIELDALIAS-toaction = status AS action
And index=<index_name> sourcetype="<sourcetype>" action=*
returns no results.
can you please check the permission of the FIELDALIAS?
If permission is private and you are looking for FIELDALIAS in the different app that it is created, it will not show.
If the permission is private, change it to 'All Apps', 'Read' allow 'Everyone'.
Right, the sharing is Global and the SH was bounced.
Still it is not working? which Splunk version you are using?
Check the article with FieldAlias bug on Splunk versions.
https://docs.splunk.com/Documentation/Splunk/7.3.1/ReleaseNotes/Fieldaliasbehaviorchange