How to Create Field Aliases in Splunk

How to Create Field Aliases in Splunk

Hi Guys !!

Hope you are doing good in Splunk. Today we have come with a new topic of Splunk that is Field Aliases. Field Aliases is nothing but giving an alternate name to the existing fields for future use. A Field Aliases doesn’t replace or remove the existing fields from the events. A field can have multiple field aliases but a field aliases will be assigned to only one field.

In search time operation sequence  Field Aliases come in fourth, just before the calculated fields and after the key-value extraction. As it comes before lookups so you can create an automatic lookup based on the field aliases. Field aliases can be helpful if you have similar type lookup files containing same field values but field names are different.

For creating field aliases you have to follow the below navigation.

Navigation :

Settings » Fields » Field aliases » Add new

fa1

fa2

Create a Field Aliases

Example 1:

For creating  Field Aliases follow the navigation which is mentioned above. Give the Destination app name for which you want to create the Field Aliases. After that give a name of the field aliases. We have given the field aliases name as minute_aliases.Then select a metadata upon which you want to apply . We have selected sourcetype as a metadata and also given a sourcetype called splunkd_ui_access. At last specify existing field name as well as alternative name for that existing field. Here we have specified an existing field name as date_minute and given alternative name as Minute . So Minute will be the field aliases name. . After giving all those things click on Save to save the  Field Aliases.

fa3

After that change the permission as global so that everyone can see this  Field Aliases. Then click on Save to set the permission.

fa4

fa5

Now you can see the Field Aliases in the fields list. In the below query date_minute is an existing field name and Minute is the field aliases name in _internal index and sourcetype name is splunkd_ui_access. By the table command we have taken those two fields and by dedup command we have removed duplicate values from the result set.

fa6

********************************************************************************

Example 2:

For creating  Field Aliases follow the navigation which is mentioned above. Give the Destination app name for which you want to create the Field Aliases. After that give a name of the field aliases. We have given the field aliases name as minute_aliases.Then select a metadata upon which you want to apply . We have selected sourcetype as a metadata and also given a sourcetype called splunkd_ui_access. At last specify existing field name as well as alternative name for that existing field. Here we have specified an existing field name as date_minute and given alternative name as  Date Minute . So Date Minute will be the field aliases name. . After giving all those things click on Save to save the  Field Aliases.

fa7

After that change the permission as global so that everyone can see this  Field Aliases. Then click on Save to set the permission.

fa8

fa9

Now you can see the Field Aliases in the fields list. In the below query date_minute is an existing field name and Minute and DATE MINUTE are the field aliases names in _internal index and sourcetype name is splunkd_ui_access. By the table command we have taken those three fields and by dedup command we have removed duplicate values from the result set. As you can see we can create multiple field aliases for one existing field.

fa10

Hope this has helped you in achieving the below requirement without fail !!

How to Create Field Aliases in Splunk

 

Happy Splunking !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.