Hi,
I'm using Splunk 6.6.3 with the Enterprise Security app, with access only to the web interface.
I have two indexes, each with the same sourcetype:
index=index1 sourcetype=WindowsEventLogs
index=index2 sourcetype=WindowsEventLogs
WindowsEventLogs contains the same fields in both indexes, as expected.
I created an alias named "dhost" which corresponds with the existing field "dest". The field alias has global permissions, readable to everyone.
Next, I obtained the count of "dest" and "dhost" from each index, specifying a 1 minute range from the time picker (9:55:00 - 9:55:59). The results show a different number of events for the original "dest" field, and the aliased "dhost" field:
index=index1 sourcetype=WindowsEventLogs | stats count(dest) 612 (612 events)
index=index1 sourcetype=WindowsEventLogs | stats count(dhost) 335 (612 events)
index=index2 sourcetype=WindowsEventLogs | stats count(dest) 19 (19 events)
index=index2 sourcetype=WindowsEventLogs | stats count(dhost) 4 (19 events)
I expected the numbers to match in each index. For example, I expected 335 to be 612, and I expected 4 to be 19.
I also tried the same scenario with "source" instead of "sourcetype" when creating the field alias, but the results were exactly the same.
Also, if I create a field alias for a sourcetype whose name isn't shared with any other indexes, the numbers for "dest" and "dhost" sometimes do match as I expected, and sometimes they do not.
Finally, I've read the Splunk docs, searched Google and answers.splunk.com, and can't find any mention of this behavior. Have I overlooked something? Shouldn't the count of the alias and the field being aliased be the same?
Thanks.
Update: I don't believe that field aliases are working properly. I've just created 7 aliases for a field in one sourcetype, and the search results are inconsistent:
index=foo sourcetype=bar | stats count(src),count(shost2),count(shost3),count(test123),count(asdf),count(test1234),count(asdf2),count(test12)
These are the results:
src: 43
shost2: 0
shost3: 0
test123: 15
asdf: 0
test1234: 15
asdf2: 0
test12: 15
That is not what I expect to see based on the definition of a field alias.
... View more