Create field aliases in Splunk Web
In your data, you might have groups of events with related field values. To help you search for these groups of fields, you can assign field aliases to their field values.
Field aliases are an alternate name that you assign to a field. You can use that alternate name to search for events that contain that field. A field can have multiple aliases, but a single alias can only apply to one field. For example, the field vendor_action can be an alias of the original fields action or message_type, but not both original fields at the same time. An alias does not replace or remove the original field name.
Don't create a field alias for a field with the same name as an internal field, such as _time. For example, if a field is called eventStartTime, don't name its field alias _time. Giving a field alias the same name as an internal field produces unpredictable search results.
For more information on aliases, see About tags and aliases.
Preserve existing field values
You can change the behavior of a field alias by selecting Overwrite field values when you define it. This affects how the Splunk software handles situations where the original field has no value or does not exist, as well as situations where the alias field already exists as a field in your events, alongside the original field.
Overwrite field values is not selected by default.
This table shows you how Overwrite field values affects the behavor of a field alias. Say you have a field alias definition where the original field src has been given dst as an alias.
| When Overwrite field values... | And the events we search for contain both src and dst... | And the events we search contain only dst... |
|---|---|---|
| is not selected... | The value of the field alias dst is unchanged.
|
The field alias dst remains as-is.
|
| is selected... | The search head replaces the value of the field alias dst with the value of the original field src, because dst is an alias of src.
|
The search head removes dst from the event because dst is an alias of a field that is not present.
|
Where field aliases fit in the search-time sequence of operations
When you run a search, Splunk software runs several operations to derive various knowledge objects and apply them to the events returned by the search. Splunk software applies field aliases to a search after it performs key-value field extraction, but before it processes calculated fields, lookups, event types, and tags.
This means that you can create aliases for fields that are extracted at index time or search time, but you cannot create aliases for calculated fields, event types, tags, or fields that are added to your events by a lookup.
On the other hand, you can reference field aliases in the configurations for search-time operations that follow the field aliasing process. For example, you can design a lookup table that is based on a field alias. You might do this if one or more fields in the lookup table are identical to fields in your data but have different names.
See The sequence of search-time operations.
Create a field alias with Splunk Web
You can use Splunk Web to assign an alternate name to a field, allowing you to use that name to search for events that contain that field.
Prerequisites
- See About tags and aliases for more information on aliases.
Steps
- Locate a field within your search that you would like to alias.
- Select Settings > Fields > Field aliases.
- (Required) Select an app to use the alias.
- (Required) Enter a name for the alias. Currently supported characters for alias names are a-z, A-Z, 0-9, or _.
- (Required) Select the host, source, or sourcetype to apply to a default field.
- (Required) Enter the name for the existing field and the new alias. The existing field should be on the left side, and the new alias should be on the right side.
- (Optional) Select Overwrite field values if you want your field alias to remove the alias field name when the original field does not exist or has no value, or replace the alias field name with the original field name when the alias field name already exists.
- Click Save.
View your new field alias on the Field Aliases page.
If you must associate a single alias field name with multiple original field names
You should not design field alias configurations that apply a single alias field name to multiple original field names. If you must do this, set the field alias up as a calculated field that uses the coalesce function to create a new field that takes the value of one or more existing fields. This method lets you be explicit about ordering of input field values in the case of NULL fields. For example: EVAL-ip = coalesce(clientip,ipaddress).
| Tag event types | Configure field aliases with props.conf |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!