Splunk Search

Why is the field alias not working in custom app?

jwalzerpitt
Influencer

We created a custom app for our Exchange message trace logs and I have the following field alias defined in the custom app's default/props.conf file on our Deployment server:

FIELDALIAS-org_user = src_user AS org_user

I reloaded the Deployment server and the verified the change made it to our Deployer and Cluster Master servers and from each server, pushed the bundle to the clustered SHs and clustered indexers. I then verified the change made it to all SHs and indexers.

In the GUI, I verified the permissions for the field alias is set to "All apps". When I run a generic search of the message trace logs, the field alias 'org_user' is not showing as a field.

Is there any other place I need to check to see why this field alias is not showing up in my searches?

Thx

0 Karma

woodcock
Esteemed Legend

You need to check the order of operations:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence#Search-ti...
This says that either a calculated field or an automatic lookup could be overwriting your field alias. If the value is null, I would suspect an automatic lookup because a calculated field would probably result in a non-null value (but not necessarily).

One more thing: if you are using a non-current version of Splunk Enterprise Security and your app does not contain *_SA_* or *_TA_* then you need to modify the application whitelist to accept your custom application within the Enterprise Security app.

0 Karma

woodcock
Esteemed Legend

Check like this:

|rest/servicesNS/-/-/data/props/fieldaliases
| search type="FIELDALIAS"
| table attribute stanza eai:acl.app value

Maybe add this, too:

| search 'eai:acl.app' = <Your App Name Here>

jwalzerpitt
Influencer

When I run the search you listed, I see the field alias listed

Thx

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...