WindowsEventLogs contains the same fields in both indexes, as expected.
I created an alias named "dhost" which corresponds with the existing field "dest". The field alias has global permissions, readable to everyone.
Next, I obtained the count of "dest" and "dhost" from each index, specifying a 1 minute range from the time picker (9:55:00 - 9:55:59). The results show a different number of events for the original "dest" field, and the aliased "dhost" field:
I expected the numbers to match in each index. For example, I expected 335 to be 612, and I expected 4 to be 19.
I also tried the same scenario with "source" instead of "sourcetype" when creating the field alias, but the results were exactly the same.
Also, if I create a field alias for a sourcetype whose name isn't shared with any other indexes, the numbers for "dest" and "dhost" sometimes do match as I expected, and sometimes they do not.
Finally, I've read the Splunk docs, searched Google and answers.splunk.com, and can't find any mention of this behavior. Have I overlooked something? Shouldn't the count of the alias and the field being aliased be the same?
Update: I don't believe that field aliases are working properly. I've just created 7 aliases for a field in one sourcetype, and the search results are inconsistent:
Enterprise Security uses app imports to selectively import apps and knowledge objects. If the app that you created one of the field aliases in is not being imported by Enterprise Security, that could explain some of the behavior you're seeing. I haven't experimented to confirm that this is the case, but it's something worth checking out.
Thank you for your feedback, peterchenadded. Though I didn't find any related errors or warnings in the inspect job splunk.log, that did give me something new to look into for troubleshooting. It's possible the field alias isn't replicating correctly. I'll have to get someone else to investigate that.
@smoir - Thank you for your reply. I created the field alias within the Enterprise Security app (via Settings >> Fields >> Field aliases).