Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Create field aliases in Splunk Web

In your data, you might have groups of events with related field values. To help you search for these groups of fields, you can assign field aliases to their field values. You can assign one or more tags to any extracted field, including event type, host, source, or source type.

Field aliases are an alternate name that you assign to a field, allowing you to use that name to search for events that contain that field. A field can have multiple aliases, but a single alias can only apply to one field. For example, the field vendor_action can be aliased to action or message_type, but not both. An alias does not replace or remove the original field name.

Perform field aliasing after key-value extraction but before field lookups, so that, you can specify a lookup table based on a field alias. This can be helpful if one or more fields in the lookup table are identical to fields in your data, but have different names. See Configure CSV and external lookups and Configure KV store lookups.

For more information on aliases, see About tags and aliases.

Use field aliases to normalize your data

You can use Splunk Web to assign an alternate name to a field, allowing you to use that name to search for events that contain that field.

Prerequisites

Using field aliases to normalize your data

  1. Locate a field within your search that you would like to alias.
  2. Select Settings > Fields > Field aliases.
  3. Select an app to use the alias.
  4. Enter a name for the alias.
  5. Select the host, source, or sourcetype to apply to a default field.
  6. Enter the name for the existing field and the new alias.
  7. Click Save.
Last modified on 20 October, 2017
PREVIOUS
Tag event types 		  NEXT
Configure field aliases with props.conf

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters