Splunk Dev

Splunk 7.2.0 - Field Aliases incorrect behavior

Path Finder

I checked my app on version 7.2.0 and I found incorrect behavior.
I exported my log file both to Splunk Enterprise 7.1.2 and 7.2.0.
In version 7.1.2 everything works as expected but in 7.2.0 I noticed that for some reason (which I really have no idea) one field inside the log ("action") is missing from extracted fields.
The method for extracting fields is regex based on key-value pairs.

The mapping was not changed at all and the app is exactly the same.
When I add another field aliases from the missing field into new filed ("action_test"), I can see the new field in the extracted fields on search view but not the original field.

Is anyone have any idea about it?

Thank you


Hi there, we had the same issue ever since we jumped into 7.2.3 from 7.0.3. For an example on Proxy TA props.conf we had aliases configured such as below.

FIELDALIAS-http_referrer = cs_Referer as http_referrer
FIELDALIAS-user_agent = cs_User_Agent as http_user_agent

But on transforms.conf had the field alias instead of the actual field name - something like below.

REGEX = (?\d{4}-\d{2}-\d{2})\s+(?[^\s]+) ... (?-|\S+)\ ... (?\S+) ...

By changing the RegEx to actual field name was fixed this issue and Splunk support will update their release notes under SPL-166565 stating that the field extraction is more restrictive on 7.2.3.

0 Karma


Found a similar problem in the Splunk_TA_microsoft-iis app.
In the default props.conf they do this:

FIELDALIAS-s_computername = s_computername as host

If s_computername is not found in the event, I no longer have a host field in my event.

This behavior popped up after the upgrade from 6.5 to 7.2.
Disabling this alias does the trick for me because all events come from a forwarder on the server itself, so I did an overwrite of the alias in the local folder like this:

FIELDALIAS-s_computername =

Path Finder

Thanks for this - We have just found the same issue. Oh joy!

0 Karma

Splunk Employee
Splunk Employee

FIELDALIAS behavior change in 7.2:
FIELDALIAS for a specific field overwrites the field value, regardless of whether it is NULL or not. In earlier versions, FIELDALIAS did NOT overwrite the value in case of NULL.

Solution to this is to use COALESCE:

FIELDALIAS-s_computername = s_computername as host
should be something like
EVAL-host=coalesce(s_computername, host)

Splunk Employee
Splunk Employee

Do you mean to say to use the coalesce in place of the fieldalias definition?

0 Karma


This is not the same, and can cause other problems "down stream". If for example you use that alias field in a EVAL you can not do that anymore.
The below (super simplified) example will not work anymore:

_raw data1: "2018-12-06 15:54:00 Account_Name=arnold sid=123 message=bla"
_raw data2: "2018-12-06 15:54:00 user=arnold sid=123 message=bla"

FIELDALIAS-user = user AS Account_Name
EVAL-userid = case(isnotnull(user),user, isnotnull(sid),sid)

in data1 you will miss the Account_Name field even though it is in the data, this cannot be solved with evals in this manner:
EVAL-user = coalesce(Account_Name, user)
EVAL-userid = case(isnotnull(user),user, isnotnull(sid),sid)

Because according to the props.conf spec file:
* When multiple EVAL-* statements are specified, they behave as if they are run in parallel, rather than in any particular sequence.
* For example say you have two statements: EVAL-x = y*2 and EVAL-y=100. In this case, "x" will be assigned the original value of "y * 2," not the value of "y" after it is set to 100.

So in my opinion this is a major breaking change in the way 7.2.x works, and there is no mentioning of it in any doc (spec file/release notes/known issues/.....)

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...