Splunk Search

Getting Field Aliases to Populate to a Dashboard

chrisschum
Path Finder

I have an index with data from two different sourcetypes. Each sourcetype has several different values which I have created field aliases for. When I run a search, all of the fields are shown with their aliases correctly.

However, if I save the search as a dashboard (which I will ultimately use with Text Inputs to search the data), the field aliases do not show up and further, the field extractions don't show up either.

I have given the dashboard global read rights (heard that might fix it) but it still isn't working.

What am I missing?

Thanks!

0 Karma

woodcock
Esteemed Legend

It is not the dashboard that needs global permissions, it is your knowledge objects which do. Go here: Settings -> Fields -> Field aliases and search for yours. Change the sharing settings to global and it will work everywhere.

0 Karma

chrisschum
Path Finder

I adjusted these settings and unfortunately it still isn't pulling the Field Aliases.

Thanks!

0 Karma

woodcock
Esteemed Legend

Did you bump or logout and log back in?

0 Karma

chrisschum
Path Finder

Yes, I logged out and back in several times. I also restarted the Splunk server if that matters.

Thanks!

0 Karma

niketn
Legend

Can you paste your search query which is working before you save as dashboard? Also if you can mention field with alias.

Have you tried running the search in Fast mode? Does it work?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chrisschum
Path Finder

It's a very simple search.

index="abc_security_sandbox" sourcetype="HL7" OR sourcetype="ABC1"

I did run it in Fast Mode and that did not return the Field Aliases.

Could that be the issue? The dashboard is running in 'Fast Mode' and needs to be run in 'Smart Mode' somehow via the Dashboard search?

Thanks!

0 Karma

niketn
Legend

@chrisschum, Which is the field you have created alias for? You mentioned that your original search was working fine (possibly running in smart or verbose) but the same did not work in fast mode.

Are you using alias field in the base search or afterwards? Try the following with your alias field.

index="abc_security_sandbox" sourcetype="HL7" OR sourcetype="ABC1"
| search <YourAliasFieldName>

It would be better if you add more details with your sourcetype --> Field mapping and alias field name.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

micahkemp
Champion

Are the dashboard and props.conf (in which you defined the ALIASes) in the same app? If not, you may need to alter your metadata for the app which defines your ALIASes to export its props to all other apps.

0 Karma

chrisschum
Path Finder

Unfortunately, I don't have direct access to that file so I've reached out to the admins to ask that question.

I'll let you know when I hear back from them.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...