Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Using Field Aliases
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a small query: Lets say I need to find all values in one field in the access_logs matching values in some other fields:
For example a search like this:
Sourcetype="My_Custom_sourcetype" departure_city = return_city ...and so on..
We want to find all errors where the departure city and return city are the same.
Above we want to look at all values where dep_city equal values in return_city field. In SQL we normally use aliases for such joins. I have tried using FIELDALIAS but it does not seem to work. Would appreciate any help. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a similar requirement and following worked for me:
Change
Sourcetype="My_Custom_sourcetype" departure_city = return_city
to
Sourcetype="My_Custom_sourcetype" |where departure_city = return_city
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a similar requirement and following worked for me:
Change
Sourcetype="My_Custom_sourcetype" departure_city = return_city
to
Sourcetype="My_Custom_sourcetype" |where departure_city = return_city
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much. You are awesome.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should set what host/source/sourcetype you want to define your field alias
Then set something like this:
let say departure_city is on host1 and return_city is on host2
host=host1
departure_city = my_city_alias
create another one for return_city on host2
host=host2
return_city = my_city_alias
in your search:
host=host1 OR host=host2 my_city_alias="Some City"
This should return events with departure_city and return_city that are the same.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer. This query is useful, if we are looking for pairs given a particular city, But in my case, I want to do it for all combinations.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
