Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Create field aliases in Splunk Web

In your data, you might have groups of events with related field values. To help you search for these groups of fields, you can assign field aliases to their field values.

Field aliases are an alternate name that you assign to a field allowing you to use that name to search for events that contain that field. A field can have multiple aliases, but a single alias can only apply to one field. For example, the field vendor_action can be aliased to action or message_type, but not both. An alias does not replace or remove the original field name.

Perform field aliasing after key-value extraction, but before field lookups, so that you can specify a lookup table based on a field alias. This can be helpful if one or more fields in the lookup table are identical to fields in your data, but have different names. See Configure CSV and external lookups and Configure KV store lookups.

For more information on aliases, see About tags and aliases.

Where field aliases fit in the search-time sequence of operations

When you run a search, Splunk software runs several operations to derive various knowledge objects and apply them to the events returned by the search. Splunk software applies field aliases to a search after it performs key-value field extraction, but before it processes calculated fields, lookups, event types, and tags.

This means that you can create aliases for fields that are extracted at index time or search time, but you cannot create aliases for calculated fields, event types, tags, or fields that are added to your events by a lookup.

On the other hand, you can reference field aliases in the configurations for search-time operations that follow the field aliasing process. For example, you can design a lookup table that is based on a field alias. You might do this if one or more fields in the lookup table are identical to fields in your data but have different names.

See The sequence of search-time operations.

Create a field alias with Splunk Web

You can use Splunk Web to assign an alternate name to a field, allowing you to use that name to search for events that contain that field.

Prerequisites

Steps

  1. Locate a field within your search that you would like to alias.
  2. Select Settings > Fields > Field aliases.
  3. (Required) Select an app to use the alias.
  4. (Required) Enter a name for the alias. Currently supported characters for alias names are a-z, A-Z, 0-9, or _.
  5. (Required) Select the host, source, or sourcetype to apply to a default field.
  6. (Required) Enter the name for the existing field and the new alias.
  7. Click Save.

View your new field alias on the Field Aliases page.

If you must associate a single alias field name with multiple original field names

You should not design field alias configurations that apply a single alias field name to multiple original field names. If you must do this, set the field alias up as a calculated field that uses the coalesce function to create a new field that takes the value of one or more existing fields. This method lets you be explicit about ordering of input field values in the case of NULL fields. For example: EVAL-ip = coalesce(clientip,ipaddress).

Last modified on 29 March, 2019
Tag event types   Configure field aliases with props.conf

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters