Splunk Enterprise Security

Field aliases don't always return the same number of results as the field being aliased

dsrvern
Explorer

Hi,

I'm using Splunk 6.6.3 with the Enterprise Security app, with access only to the web interface.

I have two indexes, each with the same sourcetype:

index=index1 sourcetype=WindowsEventLogs
index=index2 sourcetype=WindowsEventLogs

WindowsEventLogs contains the same fields in both indexes, as expected.

I created an alias named "dhost" which corresponds with the existing field "dest". The field alias has global permissions, readable to everyone.

Next, I obtained the count of "dest" and "dhost" from each index, specifying a 1 minute range from the time picker (9:55:00 - 9:55:59). The results show a different number of events for the original "dest" field, and the aliased "dhost" field:

index=index1 sourcetype=WindowsEventLogs | stats count(dest)       612 (612 events)
index=index1 sourcetype=WindowsEventLogs | stats count(dhost)      335 (612 events)

index=index2 sourcetype=WindowsEventLogs | stats count(dest)        19 (19 events)
index=index2 sourcetype=WindowsEventLogs | stats count(dhost)       4 (19 events)

I expected the numbers to match in each index. For example, I expected 335 to be 612, and I expected 4 to be 19.

I also tried the same scenario with "source" instead of "sourcetype" when creating the field alias, but the results were exactly the same.

Also, if I create a field alias for a sourcetype whose name isn't shared with any other indexes, the numbers for "dest" and "dhost" sometimes do match as I expected, and sometimes they do not.

Finally, I've read the Splunk docs, searched Google and answers.splunk.com, and can't find any mention of this behavior. Have I overlooked something? Shouldn't the count of the alias and the field being aliased be the same?

Thanks.

Update: I don't believe that field aliases are working properly. I've just created 7 aliases for a field in one sourcetype, and the search results are inconsistent:

index=foo sourcetype=bar | stats count(src),count(shost2),count(shost3),count(test123),count(asdf),count(test1234),count(asdf2),count(test12)

These are the results:

src: 43
shost2: 0
shost3: 0
test123: 15
asdf: 0
test1234: 15
asdf2: 0
test12: 15

That is not what I expect to see based on the definition of a field alias.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Enterprise Security uses app imports to selectively import apps and knowledge objects. If the app that you created one of the field aliases in is not being imported by Enterprise Security, that could explain some of the behavior you're seeing. I haven't experimented to confirm that this is the case, but it's something worth checking out.

0 Karma

peterchenadded
Path Finder

Not able to reproduce this. Is this happening in a single instance of Splunk?

Maybe the field alias setting hasn't been replicated correctly to all your indexers.

Are there any errors or warnings in your "inspect job" splunk.log?

0 Karma

dsrvern
Explorer

Thank you for your feedback, peterchenadded. Though I didn't find any related errors or warnings in the inspect job splunk.log, that did give me something new to look into for troubleshooting. It's possible the field alias isn't replicating correctly. I'll have to get someone else to investigate that.

@smoir - Thank you for your reply. I created the field alias within the Enterprise Security app (via Settings >> Fields >> Field aliases).

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...