Hi Splunkers. I'm trying to troubleshoot an issue with field aliases based on a particular sourcetype. 1) Field alias was configured in SplunkWeb as the follows (modified for privacy reasons): Name_Mode:Type_of_access:SECURED : FIELDALIAS-Mode_extract_for_web ( Name_Mode:Type_of_access:SECURED is the sourcetype.) uri = uri_path. 2) If I run the following, it lists the alias definition correctly: | rest /services/data/props/fieldaliases | rename title as Name, value as "Field aliases", eai:acl.app as App, eai:acl.owner as Owner | table Name "Field aliases" App Owner 3) When searching specifically for that sourcetype, the events are returned but without the field alias. The sourcetype has multiple colons in the name. I can't see that causing the alias to fail as there are other field aliases used against similarly-named sourcetypes (in other apps) that are working without issue. It is running on a SH cluster. Splunk is v8.02 Permissions for alias is "All apps" with read for Everyone. "uri" field is an inline field extraction. Search-time operation order puts inline field extraction (1st) ahead of field aliasing operations (4th). (https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/Searchtimeoperationssequence) ... so I don't see this being a Search-time operation issue . Any ideas where else to check? Apologies if the above is not clear due to the obfuscation. Let me know if you need clarification. Thanks,
... View more