Splunk® Enterprise

Knowledge Manager Manual

Configure field aliases with props.conf

In your data, you might have groups of events with related field values. To help you search for these groups of fields, you can assign field aliases to their field values. You can assign one or more tags to any extracted field, including event type, host, source, or source type.

Field aliases are an alternate name that you assign to a field, allowing you to use that name to search for events that contain that field. A field can have multiple aliases, but a single alias can only apply to one field. For example, the field vendor_action can be aliased to action or message_type, but not both. An alias does not replace or remove the original field name.

Don't create a field alias for a field with the same name as an internal field, such as _time. For example, if a field is called eventStartTime, don't name its field alias _time. Giving a field alias the same name as an internal field produces unpredictable search results.

Perform field aliasing after key-value extraction but before field lookups so that you can specify a lookup table based on a field alias. This can be helpful if one or more fields in the lookup table are identical to fields in your data, but are named differently. See Configure CSV and external lookups and Configure KV store lookups.

You can define aliases for fields that are extracted at index time as well as those that are extracted at search time.

Add your field aliases to props.conf, which you edit in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/. Use the latter directory to make it easy to transfer your data customizations to other index servers.)

Splunk Enterprise supports single value fields only.

Use props.conf to configure field aliases

Prerequisities

Steps

  1. Add the following line to a stanza in props.conf:
  2. FIELDALIAS-<class> = <orig_field_name> AS <new_field_name>
    
    • <orig_field_name> is the original name of the field.
    • <new_field_name> is the alias to assign to the field.
    • You can include multiple field alias renames in one stanza.
  3. Restart Splunk Enterprise for your changes to take effect.

Example of field alias additions for a lookup

You created a lookup for an external static table CSV file, where the field you extracted at search time as ip is referred to as ipaddress. In the props.conf file where you defined the extraction, add a line that defines ipaddress as an alias for ip, as follows:

[accesslog]
EXTRACT-extract_ip = (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FIELDALIAS-extract_ip = ip AS ipaddress

When you set up the lookup in props.conf, use ipaddress where you would otherwise use ip:

[dns]
lookup_ip = dnsLookup ipaddress OUTPUT host

See Create and maintain search-time field extractions through configuration files.

See Introduction to lookup configuration and Configure KV store lookups.

Last modified on 13 December, 2023
Create field aliases in Splunk Web   Use search macros in searches

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters