Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Create field aliases in Splunk Web

In your data, you might have groups of events with related field values. To help you search for these groups of fields, you can assign field aliases to their field values.

Field aliases are an alternate name that you assign to a field allowing you to use that name to search for events that contain that field. A field can have multiple aliases, but a single alias can only apply to one field. For example, the field vendor_action can be aliased to action or message_type, but not both. An alias does not replace or remove the original field name.

Perform field aliasing after key-value extraction, but before field lookups, so that you can specify a lookup table based on a field alias. This can be helpful if one or more fields in the lookup table are identical to fields in your data, but have different names. See Configure CSV and external lookups and Configure KV store lookups.

For more information on aliases, see About tags and aliases.

Use field aliases to normalize your data

You can use Splunk Web to assign an alternate name to a field, allowing you to use that name to search for events that contain that field.



  1. Locate a field within your search that you would like to alias.
  2. Select Settings > Fields > Field aliases.
  3. Select an app to use the alias.
  4. Enter a name for the alias. Currently supported characters for alias names are a-z, A-Z, 0-9, or _.
  5. Select the host, source, or sourcetype to apply to a default field.
  6. Enter the name for the existing field and the new alias.
  7. Click Save.

View your new field alias in the Field Aliases page.

Tag event types
Configure field aliases with props.conf

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4


Can you please specify which is the new alias and which is the existing field in the X=Y ? This always confuses me and the GUI does not provide guidance

March 13, 2019

Also, a single alias definition cannot get around the limitation of one alias per field name by doing: a1 as a2, a2 as a3 The GUI will allow the definition to be created (unlike the more direct a1 as a2, a1 as a3) but the field name a3 will not appear at search time with that approach; two definitions are required (1 for each) for success.

January 24, 2019

Regarding "A field can have multiple aliases, but a single alias can only apply to one field." It should be noted that a single alias definition can only alias each field once, but separate alias definitions can alias the same fields in other alias definitions again only once. So to "copy"/alias a field to three new field names, three alias definitions are required.

It is similar in effect to the SPL function eval command f1=f2, except that multiple aliases on the same field names (f1) can be done in the same pipe. Also, the SPL function "rename" does not preserve the original field name but can merge several fields into a single field name only if done within the same pipe.

January 24, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters