Splunk Search

Can I have one alias referring to multiple fields and search this alias to find multiple values?

shahar_cohen
New Member

Hey,
I just started to use splunk, and i'm trying to organize my data a way i believe would be the easier to use in the future.

I have multiple fields that represents different kind of IP addresses (internal ip, nat ip, internet ip, ipv4, ipv6). Each of those types has different field name.

BUT, I want to have a generic alias, called "IP" that will be alias for all of the different kind of ip fields i have. In the same event, sometimes, i have multiple ip addresses of different types (internet IP and internal IP for example). It looks like that in this case, the last alias definition of "IP" overrides all the previous ones, so it doesn't find me all the relevant results when i'm searching on the field "IP". it ignores all the alias definitions of IP, except the last one.

So, My Questions:

  1. Can I have one alias refering to multiple fields, all exists in the same event?
  2. Can I search on this alias to find multiple values?

Thanks.

Tags (3)
0 Karma

aweitzman
Motivator

I think you want to add an EVAL line to your props.conf file under the appropriate stanza to generate this field:

EVAL-IP = mvappend(internal_ip,nat_ip,internet_ip,ipv4,ipv6)

Then you can search for any flavor of IP address using IP=<addr goes here> and it should show up in your results. If you want to test it beforehand, you can do a search-bar search with a clause like:

initial search | eval IP=mvappend(internal_ip,nat_ip,internet_ip,ipv4,ipv6) | search IP=some.addr

and see whether you get the results you want.

(If you haven't done so already, read http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Propsconf to make sure you're working with an appropriately-written stanza in your props.conf.)

(Note: This does not appear to be the documented behavior of mvappend, but this is how it works in real life today.)

strive
Influencer

strive
Influencer

How you have defined field alias in your props.conf? Can you post it here.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...