- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Is it possible to use one field alias for multiple...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
is it possible to use one field alias for multiple fields?
For example I want to use field aliases to rename these fields to Z
A -> Z
B -> Z
C -> Z
Currently the renaming is not working correctly.
Thanks in advance
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would also suggest to look at creating "Calculated fields" using an eval functions like coalesce.
In props.conf
[<stanza>]
EVAL-Z = coalesce(A,B,C)
http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/definecalcfields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would also suggest to look at creating "Calculated fields" using an eval functions like coalesce.
In props.conf
[<stanza>]
EVAL-Z = coalesce(A,B,C)
http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/definecalcfields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good point, that would be a possible workaround. But I think this approach is more expensive than field aliases, am I correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as an event does not have more than one of the fields (A,B,C). If more than one field exists in an event, aliased field (Z) will take the values from the last entry in props.conf. So, for example if your props entry is `FIELDALIAS-multialias = A AS Z B AS Z C AS Z1, if an event has fields A and C, the aliased field Z will take value from field C
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The events do not have more than one the fields A, B, C. It seems, that sometimes Z is not extracted during the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field names are case sensitive. Make sure all events have the right case. The times when Z does not have a value, is it for a specific origin field. In other words, is it always for field A or B etc or is it random?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All fields have the right case. Sometimes it works as intended, for example when I use a short timerange or only a few different events. But on the other hand, after searching more events, Z is empty for events where it worked before.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
