Splunk Search

How to define field alias on extracted fields?

sabaKhadivi
Path Finder

I extracted some fields from raw log , and I want to define field alias for them , but on specific field which is used in other indexes and has field alias ,the alias doesn't work .

0 Karma
1 Solution

PowerPacked
Builder

Hi

If you extracted those fields by eval, its not gonna work as there is a sequence in search time operations. - field alias comes before eval ( calculated fields)

Please take a look at this sequence of search time operation, which means every search ran in UI go through these operations in order.

https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Searchtimeoperationssequence

Thanks

View solution in original post

0 Karma

PowerPacked
Builder

Hi

If you extracted those fields by eval, its not gonna work as there is a sequence in search time operations. - field alias comes before eval ( calculated fields)

Please take a look at this sequence of search time operation, which means every search ran in UI go through these operations in order.

https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Searchtimeoperationssequence

Thanks

0 Karma

sabaKhadivi
Path Finder

Thanks for your answer, but I use inline extraction which is in the firest sequnece , that field alias work on some indexes and don't work on the others.

0 Karma

PowerPacked
Builder

Does that means you have Extract-classname in props of searchhead for above extracted fields?

Thanks

0 Karma

sabaKhadivi
Path Finder

yes exactly, the problem is solved ,it was related to host::* whitch cause conflict with other configuration by TAs. when I restrict host ,it just work!!!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The field alias is set at sourcetype/source/host level. Where have you setup your field alias and did you use correct sourcetype/source/host?

0 Karma

sabaKhadivi
Path Finder

I setted it up from field bar , and I default it based on host .

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...