Splunk Search
Highlighted

Field Aliases

Motivator

Hi,

I want to configure some field aliases. I want to add an alias C for the fields A & B.
I've done this in the settings, but in the search it only works for field A. Is it not possible to set one alias for 2 different fields?

Best
Heinz

Tags (2)
0 Karma
Highlighted

Re: Field Aliases

SplunkTrust
SplunkTrust

What is the value of C supposed to be if both A and B exist?

0 Karma
Highlighted

Re: Field Aliases

Motivator

Users can appear in both fields. I would like to have a way to create stats about distinct users. That's why I wanted to set two aliases:

A=C
B=C

Then I would have to deal only with one field (C) in the search.

PS: Next to that, I don't know how to handle a search for distinct user over 2 fields 😉

0 Karma
Highlighted

Re: Field Aliases

SplunkTrust
SplunkTrust

You could do this:

... | eval C = coalesce(A, B) | stats dc(C)

"Use A if exists, else use B". That can be stored in a calculated field if you like.

0 Karma
Highlighted

Re: Field Aliases

Motivator

I tried this out, but dc(c) is always equal to dc(a).
The fields A & B can both appear in one event. So I think that's why this command is just using the users of the field A.

0 Karma
Highlighted

Re: Field Aliases

SplunkTrust
SplunkTrust

If A and B exist in one event then my C will eval to A.

What should the value of C be in this case? (See my comment on your question)

0 Karma
Highlighted

Re: Field Aliases

Motivator

I thought I can collect all users from A & B in this field and use dc(C) to get the total distinct usercount.

But it doesn't make sense via an alias, because there would be more than 1 value for the field C in each event?!

In the end, I'm just looking for way to dc(users). These users can appear in the fields A & B.

0 Karma
Highlighted

Re: Field Aliases

SplunkTrust
SplunkTrust

That's beyond an alias. You basically want to merge A and B into a multi-value field.

You can eval your way there though, like this:

index=_internal | eval sst = source."###".sourcetype | makemv sst delim="###" | stats dc(source) dc(sourcetype) dc(sst)

Imagine source is A, sourcetype is B, and sst is C. That eval should be includeable in a calculated field, but probably not the makemv. You can go macro of course.

0 Karma
Highlighted

Re: Field Aliases

Motivator

Hi Martin,

ich wechsel mal die Sprache, macht's etwas einfacher 😉

Deinen Ansatz kann ich soweit nachvollziehen, allerdings scheint dc(sst) nicht wie gewünscht zu funktionieren. Soll hierbei jedes einzelne Element der multivalue fields gezählt werden?

Meine Suche:

| eval C=A."###".B | makemv C delim="###" | stats dc(A), dc(B), dc(C)

Außerdem ist "sst" oft leer.

0 Karma
Highlighted

Re: Field Aliases

SplunkTrust
SplunkTrust

Das ist der Plan. Example:

| stats count as foo | eval foo = "1-1,2-3,3-5" | makemv foo delim="," | mvexpand foo | makemv foo delim="-" | appendpipe [stats dc(foo)]

Result:

foo   dc(foo)
1
1

2
3

3
5

.     4

dc(foo) ist korrekt, denn foo enthält 1,2,3,5 - also distinct count = 4.

0 Karma