Splunk Search

Field Alais created were not working

Gowtham0809
New Member

We have created several Field aliases based on different source and source types in our splunk query.

Most of the Field alias created were working without ant issues, but some of the alias created were not visible for splunk searches?

Can someone suggest any workaround for this?. This occurs when Alias were created on on both source and sourcetypes but not for all the alias we created.

Thanks,

Tags (1)
0 Karma
1 Solution

mattchiste
Explorer

Check out: https://docs.splunk.com/Documentation/Splunk/7.3.0/ReleaseNotes/Fieldaliasbehaviorchange.

The behavior of Field Aliases have changed in 7.2 and 7.3 over previous versions. That article does a good job of explaining how and why. You probably want to use coalesce or the new AS NEW keyword.

View solution in original post

mattchiste
Explorer

Check out: https://docs.splunk.com/Documentation/Splunk/7.3.0/ReleaseNotes/Fieldaliasbehaviorchange.

The behavior of Field Aliases have changed in 7.2 and 7.3 over previous versions. That article does a good job of explaining how and why. You probably want to use coalesce or the new AS NEW keyword.

Gowtham0809
New Member

Hello, I have sorted the issue by providing the providing source as file level. for example. I have a folder structure C:\temp\Splunkdata\alias*.csv

earlier I was using the source as C:\temp\Splunkdata* in the alias context and when i chnaged the source as C:\temp\Splunkdata\alias* all my alias started working.

Does thus mean do I need to provide the source path in file level is the best practice, or my providing source path upto top level folders should also work?

Thanks

0 Karma

mattchiste
Explorer

You probably have more than one FieldAlias defined for C:\temp\Splunkdata\ and they are interacting in ways you aren't expecting. By changing the source to something more explicit, the FieldAlias is likely the only unique one for that source.

0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...