Documentation > Splunk > Knowledge Manager Manual > Create aliases for fields

Knowledge Manager Manual

 


Welcome
When you first deploy Splunk
Understand events
Work with fields
Work with hosts
Work with source types
Manage event types
Define tags and aliases
Group events into transactions
Manage saved searches and search jobs
Configure summary indexes

Create aliases for fields

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Create aliases for fields

You can create multiple aliases for a field. The original field is not removed. This process enables you to search for the original field using any of its aliases.

Important: Field aliasing is performed after key/value extraction but before field lookups. Therefore, you can specify a lookup table based on a field alias. This can be helpful if there are one or more fields in the lookup table that are identical to fields in your data, but have been named differently. For more information read "Look up fields from external data sources" in this manual.

You can define aliases for fields that are extracted at index time as well as those that are extracted at search time.

You add your field aliases to props.conf, which you edit in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. (We recommend using the latter directory if you want to make it easy to transfer your data customizations to other index servers.)

To alias fields:

1. Add the following line to a stanza in props.conf: 

FIELDALIAS-<class> = (<orig_field_name> AS <new_field_name>)+

2. Restart Splunk for your changes to take effect.


Example of field alias additions for a lookup

Say you're creating a lookup for an external static table CSV file where the field you've extracted at search time as "ip" is referred to as "ipaddress." In the props.conf file where you've defined the extraction, you would add a line that defines "ipaddress" as an alias for "ip," as follows: 

[accesslog]
EXTRACT-extract_ip = (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FIELDALIAS-extract_ip = ip AS ipaddress

When you set up the lookup in props.conf, you can just use ipaddress where you'd otherwise have used ip: 

[dns]
lookup_ip = dnsLookup host OUTPUT ipaddress

For more information about search time field extraction, see "Add fields at search time" in this manual.

For more information about field lookups, see "Create field lookups from external data sources" in this manual.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.6/Knowledge/Addaliasestofields"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.