Solved: Using Field Aliases

olavo123 · ‎11-07-2013

Just a small query: Lets say I need to find all values in one field in the access_logs matching values in some other fields:

For example a search like this:

Sourcetype="My_Custom_sourcetype" departure_city = return_city ...and so on..

We want to find all errors where the departure city and return city are the same.

Above we want to look at all values where dep_city equal values in return_city field. In SQL we normally use aliases for such joins. I have tried using FIELDALIAS but it does not seem to work. Would appreciate any help. Thanks.

somesoni2 · ‎11-08-2013

I had a similar requirement and following worked for me:

Change

Sourcetype="My_Custom_sourcetype"  departure_city = return_city

to

Sourcetype="My_Custom_sourcetype" |where departure_city = return_city

View solution in original post

somesoni2 · ‎11-08-2013

I had a similar requirement and following worked for me:

Change

Sourcetype="My_Custom_sourcetype"  departure_city = return_city

to

Sourcetype="My_Custom_sourcetype" |where departure_city = return_city

olavo123 · ‎11-08-2013

Thanks so much. You are awesome.

crt89 · ‎11-07-2013

You should set what host/source/sourcetype you want to define your field alias
Then set something like this:
let say departure_city is on host1 and return_city is on host2

host=host1
departure_city = my_city_alias

create another one for return_city on host2

host=host2
return_city = my_city_alias

in your search:

host=host1 OR host=host2 my_city_alias="Some City"

This should return events with departure_city and return_city that are the same.
Hope this helps.

olavo123 · ‎11-08-2013

Thanks for the answer. This query is useful, if we are looking for pairs given a particular city, But in my case, I want to do it for all combinations.

Using Field Aliases

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases