Splunk Search

Confusing behaviour of fieldalias

szabados
Communicator

I've have downloaded from Splunkbase and applied the Linux secure TA on my Splunk instance, and I've been facing with a strange issue I can't understand.

There are a couple fieldaliases defined in it:

FIELDALIAS-rhost = rhost AS src_ip <<<<<<<<<<
FIELDALIAS-src_user = ruser AS src_user
FIELDALIAS-app = process AS app
FIELDALIAS-vendor_product = process AS vendor_product
FIELDALIAS-dest = host AS dest
FIELDALIAS-dest_host = host AS dest_host
FIELDALIAS-dest_nt_domain = kerberos_domain AS dest_nt_domain
FIELDALIAS-src = src_ip AS src <<<<<<<<<<<<<<

I've marked the problematic ones with the arrows.
So, src_ip is created just as expected. However, src is not, just only in a really few number of events. Doing a quick spotcheck, I had like 25 different values in src_ip, but only 2 in src.
My search looked like simply this:
index=ftp

Going forward, when I've selected a value from src_ip, and run my search like this:
index=ftp src_ip=1.2.3.4

then the src field was created, and it had the 1.2.3.4 value in it. (previously, it was present in src_ip but not in src)

After this, I've created a new props.conf in the local folder of the TA, and added the following line:
FIELDALIAS-rhost = rhost AS src_ip
FIELDALIAS-rhost_test= rhost AS src <<<<<<<

Now it works for 100% of the events, both src_ip and src is created with all the values.

I just can't understand what went wrong with the original configuration.
What am I missing ?

0 Karma
1 Solution

rjthibod
Champion

In your original configuration, you are trying to define a fieldalias src from the other fieldalias src_ip. That is no supported. All fieldalias operation happen in parallel, so you cannot have a dependency on one alias in the definition of another alias.

Your second version works because there is no dependency on src_ip in the definition of src.

View solution in original post

0 Karma

lwest_splunk
Splunk Employee
Splunk Employee

For a more in-depth explanation of the limitations of FIELDALIAS, please see my answer on https://answers.splunk.com/answers/657473/fieldalias-override-another-fieldalias.html?childToView=76...

0 Karma

rjthibod
Champion

In your original configuration, you are trying to define a fieldalias src from the other fieldalias src_ip. That is no supported. All fieldalias operation happen in parallel, so you cannot have a dependency on one alias in the definition of another alias.

Your second version works because there is no dependency on src_ip in the definition of src.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...