Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Alias: Created multiple but only a few showing up

adalbor
Builder
‎01-21-2020 07:15 AM

Hey All,

I created multiple field aliases for multiple sourcetypes and for each sourcetype I am only seeing a few of each created field aliases in my search results.

I checked all my search heads and they all have the aliases in their props.conf (created via GUI) and they all have global permissions.

Is there anything else I can check to see why this might be occurring?

For example:
Here is the stanza in props.conf for one of them
[WinEventLog]
FIELDALIAS-sn_ms_def_compname = ComputerName ASNEW sn_ms_def_compname
FIELDALIAS-sn_ms_def_detectsrc = Detection_Source ASNEW sn_ms_def_detectsrc
FIELDALIAS-sn_ms_def_evtcd = EventCode ASNEW sn_ms_def_evtcd
FIELDALIAS-sn_ms_def_message = EventDescription ASNEW sn_ms_def_message

In search the only field alias not showing up is the sn_ms_def_message

I have multiple other stanzas with the same behavior, some but not all of the field aliases will be in the search results.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adalbor
Builder
‎01-30-2020 07:32 AM

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adalbor
Builder
‎01-30-2020 07:32 AM

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

View solution in original post

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!