Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

FieldAlias Setup

wildbill4
Path Finder
‎09-17-2010 01:04 PM

I'm trying to setup Fieldalias and not getting desire results. Here is what I have put into the props.conf file.

  FIELDALIAS = acct AS account
  FIELDALIAS = User_Name AS account

Am I missing something??

Thanks

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎09-17-2010 01:26 PM

Your second FIELDALIAS statement will override the first.

Try adding an extension so that you have two unique entries:

FIELDALIAS-acct = acct AS account
FIELDALIAS-username = User_Name AS account

Alternately, you can have both aliases in a single line. If you go that route, you will still override any previously defined value for FIELDALIAS=, so it's still a good idea to add a qualifier as shown above.

View solution in original post

Reply
Solved! Jump to solution

Dan
Splunk Employee
Splunk Employee
‎10-19-2010 01:05 AM

Unfortunately, field aliasing is one-to-one, and won't allow you to map many-to-one. The reason is that if orig_field doesn't exist, a blank value will be assigned to new_field.

Consider an event that has only the acct field. Both FIELDALIAS directives will be evaluated. Lexicographically, FIELDALIAS-acct runs first and successfully aliases acct as account. But when FIELDALIAS-username runs it finds no User_Name field, so the result is the account field will be blank.

There are two ways to work around this.

  1. Use props.conf:

    REPORT-alias_account = acct_as_account,User_Name_as_account

    and transforms.conf:

    [acct_as_account]
SOURCE_KEY = acct
REGEX = (?<account>.+)
[User_Name_as_account]
SOURCE_KEY = User_Name
REGEX = (?<account>.+)

  2. Use the search language:

    | eval account= IF(ISNULL(acct),User_Name,acct)
Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎09-17-2010 01:26 PM

Your second FIELDALIAS statement will override the first.

Try adding an extension so that you have two unique entries:

FIELDALIAS-acct = acct AS account
FIELDALIAS-username = User_Name AS account

Alternately, you can have both aliases in a single line. If you go that route, you will still override any previously defined value for FIELDALIAS=, so it's still a good idea to add a qualifier as shown above.

Reply
Solved! Jump to solution

wildbill4
Path Finder
‎09-17-2010 02:13 PM

Thanks for the assistance

0 Karma
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-17-2010 02:12 PM

It will have to be in a stanza that matches the sourcetype (or host, or source) for which you want to set the field alias. Other than that, it doesn't matter as long as it's a unique entry as above. If it's non-unique, then you have to worry about precedence rules, since another entry could override it (possibly from a different app). Also, I'm assuming you're only trying to use it within the search app -- if you need it across multiple apps you'll need to check the permissions and make sure it's set to global.

0 Karma
Reply
Solved! Jump to solution

wildbill4
Path Finder
‎09-17-2010 01:41 PM

Does it matter where in the props.conf file I input the FIELDALIAS information?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...