Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Alias Applied to Hostname - Events Matched But No Results?

kbarton
New Member
‎02-20-2023 11:17 AM

Hi,

I am new to Splunk so please forgive me.

I had created a field field, where if the hostname contains "*-us*" then region=NA.

In search, I enter the query region=NA and I see thousands of events matched, but there are no results in the current time range. I am hoping for assistance with understanding why this is, or if I am going about this the incorrect way.

Thank you in advance.

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-20-2023 07:42 PM

How did you create the field - in the data or as a calculated field using an eval statement or did you really create an 'alias' field?  You cannot make a Splunk alias field that does what you are trying to do.

If you run the search

your_search region=NA
| table hostname region

what do your hostnames and regions look like?

Please show how you created the region field

 

0 Karma
Reply

kbarton
New Member
‎02-21-2023 07:14 AM

Hi,

Thanks for your response. I went into settings->Fields->Field Aliases->New Field Alias:

Destination app: search

Name: region NA

Apply to: host, named: *-us*

Field aliases: region=NA

 

The query that you had provided does not display any results.

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-21-2023 04:21 PM

Seems like you've gone down the wrong path.  An alias is there to so that if you have a field called host, you want to have another field called my_alias_for_host that has the same value as host, but which is just a new name to access the value of host.

What you want is to have a calculated field, which has an eval condition that populates a NEW field called region that is set to NA ONLY if the value of the other field host (not hostname?) does not contain the text

-us

I am assuming you want your wildcard * characters to assume anything before or after -us

So, create a new calculated field called region, apply it to the dataset you want it to be calculated for and make the eval statement

if(match(host, "-us"), "NA", "Value_for_Region_if_NOT_US")

Note that "Apply to: host" is NOT the right option here, you probably want to apply it to a source or sourcetype that contains the type of data you are dealing with

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...