Problem with Fields Aliases

mcalta · ‎06-24-2017

Hi all,
I have some problem with fields aliases.
I try to explain, I receive a message MQ with a XML message body; i'm able to retrieve every tag into the body.
Now I need to "map" two or more tag under the same alias, something like this:

If I search by single tag I found a lot of values, but when i try to search with alias I found only a few values (below an example).

As you can see values like 9781 or 9779 are always identified, the others values not.
I tried to modify or check or rewrite props/fields/transorm.conf, but I have always the same result.

Please I need some help, I don't know how to solve.

Thanks a lot.

mcalta · ‎06-26-2017

Hi Giuseppe,

with coalesce function I can retrieve all the values, thank you.
But I need to know if alias function works correctly, I need to do this type of function for a lot of fields so I could be much more "comfortable" use an alias.

My search it's simple:

index="index_name" | table _time,"ALIAS",CODE1,CODE2

It seems that alias does not "store" correctly one of the field.

Thanks a lot.
Marco

gcusello · ‎06-25-2017

Hi
It's useful to have your search and results.
in the meantime did you tried with a calculated field using coalesce?

| eval ElaborationCode=coalesce(SLOGELAB,SPOSELAB)

Bye.
Giuseppe

woodcock · ‎06-25-2017

We are never going to understand unless you show the searches and the results that go with them.

Problem with Fields Aliases

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?