Knowledge Management

Why doesn't my field alias work?

Motivator

I created a field alias via the UI -

alt text

I made it global and under $SPLUNK_HOME/etc/apps/<app name>/local/props.conf, we see -

[<sourcetype>]
FIELDALIAS-test2 = status ASNEW aaaaaa

When searching - index=<index_name> sourcetype="<sourcetype>" status=* the field aaaaaa dones't show up.

What do I miss?

Labels (1)
Tags (2)

Hi @danielbb ,

Syntax for defining FIELDALIAS is incorrect. It should be,

[<sourcetype>]
FIELDALIAS-test2 = status AS aaaaaa

Refer to the document, https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Configurefieldaliaseswithprops.conf

As you have configured it from the UI this should not be the case. Which Splunk version you are using?
May be your FIELDALIAS created from UI is being ignored by any manually added FIELDALIAS for same sourcetype with same name.

UPDATE
From version 7, FIELDALIAS created from web are store with ASNEW keyword.
As per the documentation, creating FIELDALIAS with props.conf AS keyword is used in definition.
But both will work.

Motivator

Perfect. I made the changes. Do I need to bounce the SH?

0 Karma

If its standalone search head, you can refresh configuration without restart by, goto
https://splunk_host:8000/en-US/debug/refresh/‘ and hit Refresh button.

Motivator

I ran it and reports back about field aliasing saying - Refreshing admin/fieldaliases OK

But the action field is not available.

0 Karma

what do you mean by action field is not available?

0 Karma

Motivator

Sorry, the mapping reads now -

FIELDALIAS-toaction = status AS action

And index=<index_name> sourcetype="<sourcetype>" action=* returns no results.

0 Karma

can you please check the permission of the FIELDALIAS?
If permission is private and you are looking for FIELDALIAS in the different app that it is created, it will not show.

If the permission is private, change it to 'All Apps', 'Read' allow 'Everyone'.

Motivator

Right, the sharing is Global and the SH was bounced.

0 Karma

Still it is not working? which Splunk version you are using?
Check the article with FieldAlias bug on Splunk versions.
https://docs.splunk.com/Documentation/Splunk/7.3.1/ReleaseNotes/Fieldaliasbehaviorchange

0 Karma