Splunk Search

Getting Field Aliases to Populate to a Dashboard

Path Finder

I have an index with data from two different sourcetypes. Each sourcetype has several different values which I have created field aliases for. When I run a search, all of the fields are shown with their aliases correctly.

However, if I save the search as a dashboard (which I will ultimately use with Text Inputs to search the data), the field aliases do not show up and further, the field extractions don't show up either.

I have given the dashboard global read rights (heard that might fix it) but it still isn't working.

What am I missing?

Thanks!

0 Karma

Esteemed Legend

It is not the dashboard that needs global permissions, it is your knowledge objects which do. Go here: Settings -> Fields -> Field aliases and search for yours. Change the sharing settings to global and it will work everywhere.

0 Karma

Path Finder

I adjusted these settings and unfortunately it still isn't pulling the Field Aliases.

Thanks!

0 Karma

Esteemed Legend

Did you bump or logout and log back in?

0 Karma

Path Finder

Yes, I logged out and back in several times. I also restarted the Splunk server if that matters.

Thanks!

0 Karma

Legend

Can you paste your search query which is working before you save as dashboard? Also if you can mention field with alias.

Have you tried running the search in Fast mode? Does it work?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

It's a very simple search.

index="abc_security_sandbox" sourcetype="HL7" OR sourcetype="ABC1"

I did run it in Fast Mode and that did not return the Field Aliases.

Could that be the issue? The dashboard is running in 'Fast Mode' and needs to be run in 'Smart Mode' somehow via the Dashboard search?

Thanks!

0 Karma

Legend

@chrisschum, Which is the field you have created alias for? You mentioned that your original search was working fine (possibly running in smart or verbose) but the same did not work in fast mode.

Are you using alias field in the base search or afterwards? Try the following with your alias field.

index="abc_security_sandbox" sourcetype="HL7" OR sourcetype="ABC1"
| search <YourAliasFieldName>

It would be better if you add more details with your sourcetype --> Field mapping and alias field name.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Champion

Are the dashboard and props.conf (in which you defined the ALIASes) in the same app? If not, you may need to alter your metadata for the app which defines your ALIASes to export its props to all other apps.

0 Karma

Path Finder

Unfortunately, I don't have direct access to that file so I've reached out to the admins to ask that question.

I'll let you know when I hear back from them.

Thanks!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!