I am looking to alias several field names from multiple sources/hosts with an alias of 'Username'.
When looking in the field alias section of splunk manager, there is the option to alias by Sourcetype, Source or Host. However my sourcetypes and sources are fairly generic, so I wanted to see if there was a way to alias based on host tag?
For example, I have tagged all my VPN hosts (e.g. tag::host=VPN). Sourcetype and source for this VPN log data is shared with many different types of data (e.g. sourcetype=syslog).
I have many different hosts for this VPN data and their IP addresses change quite often. So rather than selecting host and creating an entry for every IP is there a way I can alias by tag? I tried sticking in the tag and selecting host in the drop down, but this didn't seem to work, so i am guessing I was doing something wrong!
Can you explain what you mean by alias by tag?
I think you may have a misconception about how tags and field aliases work.
tag::host=VPN, as you pointed out..) Splunk has supported the ability to assign tags like this for a long time.
access_common), whereas others may extract the same value as
ipeven though they represent the same thing. Of course, it's best to name your fields consistently, but that's not always possible. So in Splunk 4.0 field aliases were introduced. This way, you can indicate that
ipis really an alias of
clientip, which then allows you to do a search like:
clientip=192.168.1.10. In which case, splunk not only looks for this specific IP address in the
clientipfield, it now also looks in the
ipfield too. (BTW, there are other uses for this functionality as well, but this is probably the biggest use-case)
So creating an "alias" of a "tag" doesn't really make a lot of sense. If you simply want a field/value pair to have more than one value, then you can simply assign multiple tags for that pair.
However, I don't see any of this will help you with your fundamental issue where your host values (e.g. IPs) are changing over time. Keep in mind that tags are not date-effective, they exist across all time as far as splunk is concerned. In other words, there is no way to return different tag value for a single host at different points in time.
Date-effective referencing like this can be done with the
lookup feature (which was also introduced in Splunk 4.0), so perhaps there is a way for you to leverage that feature to suite your needs.
Lookups can also scale better than tags. Take a look at: How many tags is too many tags?
I fully understand how tags and aliases work and have read the documentation in full.
If i can only alias a field by host (i.e. IP) - then if I have 1000 VPN hosts, would that not mean that I would have to set the same alias for each host IP (i.e. configure 1000 aliases)?
No matter - i think i answered my own question. I can alias by sourcetype even though the sourcetype might contain many different data sources, as I can alias the same field with multiple aliases.
Thanks for your clarification anyway.
Are you using the term
alias as synonyms? I'm still confused, but whatever, if you figured it out then that's great. Oh, one other thing, if you are tagging more than a few hundred values you should know that tags don't necessarily scale very well, see the following http://answers.splunk.com/questions/212/how-many-tags-is-too-many-tags (or if you are creating 1000 field aliases, I'm guessing you could hit a scaling limit there too.) Just FYI.
My issue is related to setting up a calculated fields based on tag, seems similar but different. So, was hoping someone could help me out here:
I have a list of URLs in my website that is critical. So, I have marked all those URLs with a
tag::critical using eventtypes. However, I am unable to use tag field within the datamodel its now configured. So, I want to setup a field called
content_priority that should have value of
"critical" if the tag matches, else set it to
I have configured a calculated field with following eval expression:
However it does not seem to work at all. So, I am stuck with it now.
Any guidance would be much helpful and appreciated.