Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why doesn't my field alias work?

danielbb
Motivator
‎11-07-2019 06:48 AM

I created a field alias via the UI -

alt text

I made it global and under $SPLUNK_HOME/etc/apps/<app name>/local/props.conf, we see -

[<sourcetype>]
FIELDALIAS-test2 = status ASNEW aaaaaa

When searching - index=<index_name> sourcetype="<sourcetype>" status=* the field aaaaaa dones't show up.

What do I miss?

Labels (1)
Labels
Tags (2)
Preview file
1 KB
Reply

gaurav_maniar
Builder
‎11-07-2019 07:06 AM

Hi @danielbb ,

Syntax for defining FIELDALIAS is incorrect. It should be, 

[<sourcetype>]
FIELDALIAS-test2 = status AS aaaaaa

Refer to the document, https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Configurefieldaliaseswithprops.conf

As you have configured it from the UI this should not be the case. Which Splunk version you are using?
May be your FIELDALIAS created from UI is being ignored by any manually added FIELDALIAS for same sourcetype with same name.

UPDATE
From version 7, FIELDALIAS created from web are store with ASNEW keyword.
As per the documentation, creating FIELDALIAS with props.conf AS keyword is used in definition.
But both will work.

Reply

danielbb
Motivator
‎11-07-2019 08:48 AM

Perfect. I made the changes. Do I need to bounce the SH?

0 Karma
Reply

gaurav_maniar
Builder
‎11-07-2019 12:16 PM

If its standalone search head, you can refresh configuration without restart by, goto
https://splunk_host:8000/en-US/debug/refresh/‘ and hit Refresh button.

Reply

danielbb
Motivator
‎11-07-2019 12:34 PM

I ran it and reports back about field aliasing saying - Refreshing admin/fieldaliases OK

But the action field is not available.

0 Karma
Reply

gaurav_maniar
Builder
‎11-07-2019 01:11 PM

what do you mean by action field is not available?

0 Karma
Reply

danielbb
Motivator
‎11-07-2019 01:28 PM

Sorry, the mapping reads now -

FIELDALIAS-toaction = status AS action

And index=<index_name> sourcetype="<sourcetype>" action=* returns no results.

0 Karma
Reply

gaurav_maniar
Builder
‎11-07-2019 01:53 PM

can you please check the permission of the FIELDALIAS?
If permission is private and you are looking for FIELDALIAS in the different app that it is created, it will not show.

If the permission is private, change it to 'All Apps', 'Read' allow 'Everyone'.

Reply

danielbb
Motivator
‎11-07-2019 02:06 PM

Right, the sharing is Global and the SH was bounced.

0 Karma
Reply

gaurav_maniar
Builder
‎11-11-2019 01:57 AM

Still it is not working? which Splunk version you are using?
Check the article with FieldAlias bug on Splunk versions.
https://docs.splunk.com/Documentation/Splunk/7.3.1/ReleaseNotes/Fieldaliasbehaviorchange

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...