I just started to use splunk, and i'm trying to organize my data a way i believe would be the easier to use in the future.
I have multiple fields that represents different kind of IP addresses (internal ip, nat ip, internet ip, ipv4, ipv6). Each of those types has different field name.
BUT, I want to have a generic alias, called "IP" that will be alias for all of the different kind of ip fields i have. In the same event, sometimes, i have multiple ip addresses of different types (internet IP and internal IP for example). It looks like that in this case, the last alias definition of "IP" overrides all the previous ones, so it doesn't find me all the relevant results when i'm searching on the field "IP". it ignores all the alias definitions of IP, except the last one.
So, My Questions:
Can I have one alias refering to multiple fields, all exists in the same event?
Can I search on this alias to find multiple values?
... View more