Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Create aliases for fields

You can create multiple aliases for a field. The original field is not removed. This process enables you to search for the original field using any of its aliases.

Important: Field aliasing is performed after key/value extraction but before field lookups. Therefore, you can specify a lookup table based on a field alias. This can be helpful if there are one or more fields in the lookup table that are identical to fields in your data, but have been named differently. For more information read "Configure field lookups" in this manual.

You can define aliases for fields that are extracted at index time as well as those that are extracted at search time.

You add your field aliases to props.conf, which you edit in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/. (We recommend using the latter directory if you want to make it easy to transfer your data customizations to other index servers.)

Note: Splunk Enterprise's field aliasing functionality does not currently support multivalue fields.

To alias fields:

1. Add the following line to a stanza in props.conf:

FIELDALIAS-<class> = <orig_field_name> AS <new_field_name>
  • <orig_field_name> is the original name of the field.
  • <new_field_name> is the alias to assign to the field.
  • You can include multiple field alias renames in one stanza.

2. Restart Splunk Enterprise for your changes to take effect.

Example of field alias additions for a lookup

Say you're creating a lookup for an external static table CSV file where the field you've extracted at search time as "ip" is referred to as "ipaddress." In the props.conf file where you've defined the extraction, you would add a line that defines "ipaddress" as an alias for "ip," as follows:

[accesslog]
EXTRACT-extract_ip = (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FIELDALIAS-extract_ip = ip AS ipaddress

When you set up the lookup in props.conf, you can just use ipaddress where you'd otherwise have used ip:

[dns]
lookup_ip = dnsLookup ipaddress OUTPUT host

For more information about search time field extraction, see "Add fields at search time" in this manual.

For more information about field lookups, see "Configure field lookups" in this manual.

PREVIOUS
Tag event types
  NEXT
Save searches and share search results

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters