
Create field aliases in Splunk Web
In your data, you might have groups of events with related field values. To help you search for these groups of fields, you can assign field aliases to their field values. You can assign one or more tags to any extracted field, including event type, host, source, or source type.
Field aliases are an alternate name that you assign to a field, allowing you to use that name to search for events that contain that field. A field can have multiple aliases, but a single alias can only apply to one field. For example, the field vendor_action
can be aliased to action
or message_type
, but not both. An alias does not replace or remove the original field name.
Perform field aliasing after key-value extraction but before field lookups, so that, you can specify a lookup table based on a field alias. This can be helpful if one or more fields in the lookup table are identical to fields in your data, but have different names. See Configure CSV and external lookups and Configure KV store lookups.
For more information on aliases, see About tags and aliases.
Use field aliases to normalize your data
You can use Splunk Web to assign an alternate name to a field, allowing you to use that name to search for events that contain that field.
Prerequisites
- See About tags and aliases for more information on aliases.
Using field aliases to normalize your data
- Locate a field within your search that you would like to alias.
- Select Settings > Fields > Field aliases.
- Select an app to use the alias.
- Enter a name for the alias.
- Select the host, source, or sourcetype to apply to a default field.
- Enter the name for the existing field and the new alias.
- Click Save.
PREVIOUS Tag event types |
NEXT Configure field aliases with props.conf |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12
Feedback submitted, thanks!