Refine your search:

FieldAlias Setup

0

I'm trying to setup Fieldalias and not getting desire results. Here is what I have put into the props.conf file.

  FIELDALIAS = acct AS account
  FIELDALIAS = User_Name AS account

Am I missing something??

Thanks

asked 17 Sep '10, 13:04

wildbill4's gravatar image

wildbill4
354
accept rate: 50%

edited 07 Jun '11, 13:56

jlaw's gravatar image

jlaw ♦
20113
2 Answers:
oldestnewestmost voted
2

Your second FIELDALIAS statement will override the first.

Try adding an extension so that you have two unique entries:

FIELDALIAS-acct = acct AS account
FIELDALIAS-username = User_Name AS account

Alternately, you can have both aliases in a single line. If you go that route, you will still override any previously defined value for FIELDALIAS=, so it's still a good idea to add a qualifier as shown above.

link

answered 17 Sep '10, 13:26

southeringtonp's gravatar image

southeringtonp ♦
4.5k1215
accept rate: 35%

Does it matter where in the props.conf file I input the FIELDALIAS information?

(17 Sep '10, 13:41) wildbill4

It will have to be in a stanza that matches the sourcetype (or host, or source) for which you want to set the field alias. Other than that, it doesn't matter as long as it's a unique entry as above. If it's non-unique, then you have to worry about precedence rules, since another entry could override it (possibly from a different app). Also, I'm assuming you're only trying to use it within the search app -- if you need it across multiple apps you'll need to check the permissions and make sure it's set to global.

(17 Sep '10, 14:12) southeringtonp ♦

Thanks for the assistance

(17 Sep '10, 14:13) wildbill4
1

Unfortunately, field aliasing is one-to-one, and won't allow you to map many-to-one. The reason is that if orig_field doesn't exist, a blank value will be assigned to new_field.

Consider an event that has only the acct field. Both FIELDALIAS directives will be evaluated. Lexicographically, FIELDALIAS-acct runs first and successfully aliases acct as account. But when FIELDALIAS-username runs it finds no User_Name field, so the result is the account field will be blank.

There are two ways to work around this.

  1. Use props.conf:

    REPORT-alias_account = acct_as_account,User_Name_as_account

    and transforms.conf:

    [acct_as_account]
SOURCE_KEY = acct
REGEX = (?<account>.+)
[User_Name_as_account]
SOURCE_KEY = User_Name
REGEX = (?<account>.+)

  2. Use the search language:

    | eval account= IF(ISNULL(acct),User_Name,acct)
link

answered 19 Oct '10, 01:05

Dan's gravatar image

Dan ♦
7842317
accept rate: 33%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×311
×166

Asked: 17 Sep '10, 13:04

Seen: 773 times

Last updated: 07 Jun '11, 13:56

Related questions

Suggestions for line breaking and field extraction of deeply-nested XML configuration files

Manual Field Extraction Configuration

Source type is not setup properly and field extractions are not working

How to add an indexed field in a distributed setup?

Show a link to my app's setup page, but only to users who have privileges to run app setup

cant setup *nix app: Splunk cannot find "apps/local/unix/setup".

Is setup.xml the best way to implement the setup experience?

Is there an example configuration available for an Intermediate Forwarding configuration?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.