Splunk Search
Highlighted

Why is my field alias not recognized in a search?

New Member

I created in props.conf:

FIELDALIAS-ipaddress = Asset IP Address AS ipaddress

Now in the search, I select my index and sourcetype and then | table ipaddress, but I get no results.

Asset IP Address is the name of the CSV field I input into Splunk. Do I need to do something else besides what I've already done?

Tags (4)
0 Karma
Highlighted

Re: Why is my field alias not recognized in a search?

SplunkTrust
SplunkTrust

Is Asset IP Addres is an exiting field in your search (is it real one with space?)?

0 Karma
Highlighted

Re: Why is my field alias not recognized in a search?

Champion

Just like with any field name that has whitespaces in it, you'll have to enclose it in quotes. The following won't work on your system:

sourcetype=your_sourcetype | stats count by Asset IP Address

whereas this should work:

sourcetype=your_sourcetype | stats count by "Asset IP Address"

It's easy to see why: how should splunk know that you want to split by a field called <Asset IP Address>, and not split by the three fields <Asset>, <IP> and <Address>? You have to be specific here.
Same goes for your props.conf line, which has to be

FIELDALIAS-ipaddress = "Asset IP Address" AS ipaddress
0 Karma