I would like to create aliases for fields that map to Splunk's Common information Model, so I go to Settings >> Fields >> Field aliases and enter the relevant information to map a field named HTTPRCode
to the alias of status
.
I tried entering *
in the "apply to sourcetype named" field and when I ran a quick query of index=main | where status=200
, no events were returned. I then deleted that field alias, created a new one, and entered a specific sourcetype name instead of *
, and when I ran the query, events were returned.
If I have multiple sourcetypes that have the HTTPRCode
field, do I need to create a field alias for each sourcetype, or is there a way to create one alias for HTTPRCode
that applies to all sourcetypes that have that field?
Thx
The sourcetype specifier is a type of regex, so you could make the field alias something like (sourcetype1)|(sourcetype2)
, or if you truly want it to apply to all sourcetypes (probably not, except if you set the alias to only be shared in a specific app), it should work with e.g. *
.
Edit:
Scratch that, it is not a regex for sourcetypes, see http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Propsconf
<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an event.
3. source::<source>, where <source> is the source, or source-matching pattern, for an event.
In that case I don't think there's a solution using aliases, unless your sourcetypes match your sources in some predictable way (in which case you can use wildcards in your fieldalias stanza).
So in short, yes, you need to create an alias for each sourcetype if you want the same alias for different sourcetypes
Extractions and aliases are bound to source types in Splunk, so the concept of a global field would be done through applying permission on an alias to "Global" instead of "App", under permissions.
This also falls in line with best search practices, you should be narrowing down your searches.
index=main sourcetype=web OR sourcetype=access_combined OR sourcetype=whatvever status=200
No need for a where.
I identified two different sourcetypes as having the HTTPRCode field. I changed the permission for sharing the alias from "private" to "Global" (and double checked to make sure 'Object should appear in' is set to 'All apps') and then ran the following query:
index=main sourcetype=sourcetype1 OR sourcetype=sourcetype2 status=200
and only the sourcetype in which the field alias was created for is being returned.
Am I not setting the permissions in the correct place?
And thx for the reminder on best search practices...