Solved: Field Alias: Created multiple but only a few showi...

adalbor · ‎01-21-2020

Hey All,

I created multiple field aliases for multiple sourcetypes and for each sourcetype I am only seeing a few of each created field aliases in my search results.

I checked all my search heads and they all have the aliases in their props.conf (created via GUI) and they all have global permissions.

Is there anything else I can check to see why this might be occurring?

For example:
Here is the stanza in props.conf for one of them
[WinEventLog]
FIELDALIAS-sn_ms_def_compname = ComputerName ASNEW sn_ms_def_compname
FIELDALIAS-sn_ms_def_detectsrc = Detection_Source ASNEW sn_ms_def_detectsrc
FIELDALIAS-sn_ms_def_evtcd = EventCode ASNEW sn_ms_def_evtcd
FIELDALIAS-sn_ms_def_message = EventDescription ASNEW sn_ms_def_message

In search the only field alias not showing up is the sn_ms_def_message

I have multiple other stanzas with the same behavior, some but not all of the field aliases will be in the search results.

adalbor · ‎01-30-2020

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

View solution in original post

adalbor · ‎01-30-2020

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

Field Alias: Created multiple but only a few showing up

alias

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation