Splunk Search

Field aliasing using host tags

pj
Contributor

I am looking to alias several field names from multiple sources/hosts with an alias of 'Username'.

When looking in the field alias section of splunk manager, there is the option to alias by Sourcetype, Source or Host. However my sourcetypes and sources are fairly generic, so I wanted to see if there was a way to alias based on host tag?

For example, I have tagged all my VPN hosts (e.g. tag::host=VPN). Sourcetype and source for this VPN log data is shared with many different types of data (e.g. sourcetype=syslog).

I have many different hosts for this VPN data and their IP addresses change quite often. So rather than selecting host and creating an entry for every IP is there a way I can alias by tag? I tried sticking in the tag and selecting host in the drop down, but this didn't seem to work, so i am guessing I was doing something wrong!

Thanks.

Tags (2)
0 Karma
1 Solution

Lowell
Super Champion

Can you explain what you mean by alias by tag?

I think you may have a misconception about how tags and field aliases work.

  • Tags: A "tag" is a human-readable (and user assigned) value given to a field/value combination. In other words, a "host" of "192.168.0.1" could be given the "VPN" tag. So you could search for this using tag::host=VPN, as you pointed out..) Splunk has supported the ability to assign tags like this for a long time.
  • Field aliases: A field alias is basically a way to more gracefully accommodate for the fact that sometimes a single field can be extracted with different field names. For example, one sourcetype may extract an IP address as clientip (such as access_common), whereas others may extract the same value as ip even though they represent the same thing. Of course, it's best to name your fields consistently, but that's not always possible. So in Splunk 4.0 field aliases were introduced. This way, you can indicate that ip is really an alias of clientip, which then allows you to do a search like: clientip=192.168.1.10. In which case, splunk not only looks for this specific IP address in the clientip field, it now also looks in the ip field too. (BTW, there are other uses for this functionality as well, but this is probably the biggest use-case)

So creating an "alias" of a "tag" doesn't really make a lot of sense. If you simply want a field/value pair to have more than one value, then you can simply assign multiple tags for that pair.

However, I don't see any of this will help you with your fundamental issue where your host values (e.g. IPs) are changing over time. Keep in mind that tags are not date-effective, they exist across all time as far as splunk is concerned. In other words, there is no way to return different tag value for a single host at different points in time.

Date-effective referencing like this can be done with the lookup feature (which was also introduced in Splunk 4.0), so perhaps there is a way for you to leverage that feature to suite your needs.

Lookups can also scale better than tags. Take a look at: How many tags is too many tags?

Helpful docs:

View solution in original post

harishbenne2
Explorer

My issue is related to setting up a calculated fields based on tag, seems similar but different. So, was hoping someone could help me out here:

I have a list of URLs in my website that is critical. So, I have marked all those URLs with a tag::critical using eventtypes. However, I am unable to use tag field within the datamodel its now configured. So, I want to setup a field called content_priority that should have value of "critical" if the tag matches, else set it to "normal".

I have configured a calculated field with following eval expression: if(tag=critical,"critical","normal")

However it does not seem to work at all. So, I am stuck with it now.

Any guidance would be much helpful and appreciated.

0 Karma

Lowell
Super Champion

Can you explain what you mean by alias by tag?

I think you may have a misconception about how tags and field aliases work.

  • Tags: A "tag" is a human-readable (and user assigned) value given to a field/value combination. In other words, a "host" of "192.168.0.1" could be given the "VPN" tag. So you could search for this using tag::host=VPN, as you pointed out..) Splunk has supported the ability to assign tags like this for a long time.
  • Field aliases: A field alias is basically a way to more gracefully accommodate for the fact that sometimes a single field can be extracted with different field names. For example, one sourcetype may extract an IP address as clientip (such as access_common), whereas others may extract the same value as ip even though they represent the same thing. Of course, it's best to name your fields consistently, but that's not always possible. So in Splunk 4.0 field aliases were introduced. This way, you can indicate that ip is really an alias of clientip, which then allows you to do a search like: clientip=192.168.1.10. In which case, splunk not only looks for this specific IP address in the clientip field, it now also looks in the ip field too. (BTW, there are other uses for this functionality as well, but this is probably the biggest use-case)

So creating an "alias" of a "tag" doesn't really make a lot of sense. If you simply want a field/value pair to have more than one value, then you can simply assign multiple tags for that pair.

However, I don't see any of this will help you with your fundamental issue where your host values (e.g. IPs) are changing over time. Keep in mind that tags are not date-effective, they exist across all time as far as splunk is concerned. In other words, there is no way to return different tag value for a single host at different points in time.

Date-effective referencing like this can be done with the lookup feature (which was also introduced in Splunk 4.0), so perhaps there is a way for you to leverage that feature to suite your needs.

Lookups can also scale better than tags. Take a look at: How many tags is too many tags?

Helpful docs:

Lowell
Super Champion

Are you using the term tag and alias as synonyms? I'm still confused, but whatever, if you figured it out then that's great. Oh, one other thing, if you are tagging more than a few hundred values you should know that tags don't necessarily scale very well, see the following http://answers.splunk.com/questions/212/how-many-tags-is-too-many-tags (or if you are creating 1000 field aliases, I'm guessing you could hit a scaling limit there too.) Just FYI.

0 Karma

pj
Contributor

No matter - i think i answered my own question. I can alias by sourcetype even though the sourcetype might contain many different data sources, as I can alias the same field with multiple aliases.

Thanks for your clarification anyway.

0 Karma

pj
Contributor

I fully understand how tags and aliases work and have read the documentation in full.

If i can only alias a field by host (i.e. IP) - then if I have 1000 VPN hosts, would that not mean that I would have to set the same alias for each host IP (i.e. configure 1000 aliases)?

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...