Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Confusing behaviour of fieldalias

szabados
Communicator
‎04-24-2017 01:20 AM

I've have downloaded from Splunkbase and applied the Linux secure TA on my Splunk instance, and I've been facing with a strange issue I can't understand.

There are a couple fieldaliases defined in it:

FIELDALIAS-rhost = rhost AS src_ip <<<<<<<<<<
FIELDALIAS-src_user = ruser AS src_user
FIELDALIAS-app = process AS app
FIELDALIAS-vendor_product = process AS vendor_product
FIELDALIAS-dest = host AS dest
FIELDALIAS-dest_host = host AS dest_host
FIELDALIAS-dest_nt_domain = kerberos_domain AS dest_nt_domain
FIELDALIAS-src = src_ip AS src <<<<<<<<<<<<<<

I've marked the problematic ones with the arrows.
So, src_ip is created just as expected. However, src is not, just only in a really few number of events. Doing a quick spotcheck, I had like 25 different values in src_ip, but only 2 in src.
My search looked like simply this:
index=ftp

Going forward, when I've selected a value from src_ip, and run my search like this:
index=ftp src_ip=1.2.3.4

then the src field was created, and it had the 1.2.3.4 value in it. (previously, it was present in src_ip but not in src)

After this, I've created a new props.conf in the local folder of the TA, and added the following line:
FIELDALIAS-rhost = rhost AS src_ip
FIELDALIAS-rhost_test= rhost AS src <<<<<<<

Now it works for 100% of the events, both src_ip and src is created with all the values.

I just can't understand what went wrong with the original configuration.
What am I missing ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎04-24-2017 03:52 AM

In your original configuration, you are trying to define a fieldalias src from the other fieldalias src_ip. That is no supported. All fieldalias operation happen in parallel, so you cannot have a dependency on one alias in the definition of another alias.

Your second version works because there is no dependency on src_ip in the definition of src.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lwest_splunk
Splunk Employee
Splunk Employee
‎08-01-2019 04:07 PM

For a more in-depth explanation of the limitations of FIELDALIAS, please see my answer on https://answers.splunk.com/answers/657473/fieldalias-override-another-fieldalias.html?childToView=76...

0 Karma
Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎04-24-2017 03:52 AM

In your original configuration, you are trying to define a fieldalias src from the other fieldalias src_ip. That is no supported. All fieldalias operation happen in parallel, so you cannot have a dependency on one alias in the definition of another alias.

Your second version works because there is no dependency on src_ip in the definition of src.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...