Knowledge Management

Why doesn't my field alias work?

danielbb
Motivator

I created a field alias via the UI -

alt text

I made it global and under $SPLUNK_HOME/etc/apps/<app name>/local/props.conf, we see -

[<sourcetype>]
FIELDALIAS-test2 = status ASNEW aaaaaa

When searching - index=<index_name> sourcetype="<sourcetype>" status=* the field aaaaaa dones't show up.

What do I miss?

Labels (1)
Tags (2)

gaurav_maniar
Builder

Hi @danielbb ,

Syntax for defining FIELDALIAS is incorrect. It should be,

[<sourcetype>]
FIELDALIAS-test2 = status AS aaaaaa

Refer to the document, https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Configurefieldaliaseswithprops.conf

As you have configured it from the UI this should not be the case. Which Splunk version you are using?
May be your FIELDALIAS created from UI is being ignored by any manually added FIELDALIAS for same sourcetype with same name.

UPDATE
From version 7, FIELDALIAS created from web are store with ASNEW keyword.
As per the documentation, creating FIELDALIAS with props.conf AS keyword is used in definition.
But both will work.

danielbb
Motivator

Perfect. I made the changes. Do I need to bounce the SH?

0 Karma

gaurav_maniar
Builder

If its standalone search head, you can refresh configuration without restart by, goto
https://splunk_host:8000/en-US/debug/refresh/‘ and hit Refresh button.

danielbb
Motivator

I ran it and reports back about field aliasing saying - Refreshing admin/fieldaliases OK

But the action field is not available.

0 Karma

gaurav_maniar
Builder

what do you mean by action field is not available?

0 Karma

danielbb
Motivator

Sorry, the mapping reads now -

FIELDALIAS-toaction = status AS action

And index=<index_name> sourcetype="<sourcetype>" action=* returns no results.

0 Karma

gaurav_maniar
Builder

can you please check the permission of the FIELDALIAS?
If permission is private and you are looking for FIELDALIAS in the different app that it is created, it will not show.

If the permission is private, change it to 'All Apps', 'Read' allow 'Everyone'.

danielbb
Motivator

Right, the sharing is Global and the SH was bounced.

0 Karma

gaurav_maniar
Builder

Still it is not working? which Splunk version you are using?
Check the article with FieldAlias bug on Splunk versions.
https://docs.splunk.com/Documentation/Splunk/7.3.1/ReleaseNotes/Fieldaliasbehaviorchange

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!