Knowledge Management

Is it possible to create a global field alias?

jwalzerpitt
Influencer

I would like to create aliases for fields that map to Splunk's Common information Model, so I go to Settings >> Fields >> Field aliases and enter the relevant information to map a field named HTTPRCode to the alias of status.

I tried entering * in the "apply to sourcetype named" field and when I ran a quick query of index=main | where status=200, no events were returned. I then deleted that field alias, created a new one, and entered a specific sourcetype name instead of *, and when I ran the query, events were returned.

If I have multiple sourcetypes that have the HTTPRCode field, do I need to create a field alias for each sourcetype, or is there a way to create one alias for HTTPRCode that applies to all sourcetypes that have that field?

Thx

laserval
Communicator

The sourcetype specifier is a type of regex, so you could make the field alias something like (sourcetype1)|(sourcetype2), or if you truly want it to apply to all sourcetypes (probably not, except if you set the alias to only be shared in a specific app), it should work with e.g. *.

Edit:
Scratch that, it is not a regex for sourcetypes, see http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Propsconf

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an event.
3. source::<source>, where <source> is the source, or source-matching pattern, for an event.

In that case I don't think there's a solution using aliases, unless your sourcetypes match your sources in some predictable way (in which case you can use wildcards in your fieldalias stanza).

So in short, yes, you need to create an alias for each sourcetype if you want the same alias for different sourcetypes

esix_splunk
Splunk Employee
Splunk Employee

Extractions and aliases are bound to source types in Splunk, so the concept of a global field would be done through applying permission on an alias to "Global" instead of "App", under permissions.

This also falls in line with best search practices, you should be narrowing down your searches.

index=main sourcetype=web OR sourcetype=access_combined OR sourcetype=whatvever status=200

No need for a where.

0 Karma

jwalzerpitt
Influencer

I identified two different sourcetypes as having the HTTPRCode field. I changed the permission for sharing the alias from "private" to "Global" (and double checked to make sure 'Object should appear in' is set to 'All apps') and then ran the following query:

index=main sourcetype=sourcetype1 OR sourcetype=sourcetype2 status=200

and only the sourcetype in which the field alias was created for is being returned.

Am I not setting the permissions in the correct place?

And thx for the reminder on best search practices...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...