This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
You can create multiple aliases for a field. The original field is not removed. This process enables you to search for the original field using any of its aliases.
Important: Field aliasing is performed after key/value extraction but before field lookups. Therefore, you can specify a lookup table based on a field alias. This can be helpful if there are one or more fields in the lookup table that are identical to fields in your data, but have been named differently. For more information read "Look up fields from external data sources" in this manual.
You can define aliases for fields that are extracted at index time as well as those that are extracted at search time.
You add your field aliases to props.conf, which you edit in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. (We recommend using the latter directory if you want to make it easy to transfer your data customizations to other index servers.)
To alias fields:
1. Add the following line to a stanza in props.conf:
FIELDALIAS-<class> = (<orig_field_name> AS <new_field_name>)+
2. Restart Splunk for your changes to take effect.
Say you're creating a lookup for an external static table CSV file where the field you've extracted at search time as "ip" is referred to as "ipaddress." In the props.conf file where you've defined the extraction, you would add a line that defines "ipaddress" as an alias for "ip," as follows:
[accesslog]
EXTRACT-extract_ip = (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FIELDALIAS-extract_ip = ip AS ipaddress
When you set up the lookup in props.conf, you can just use ipaddress where you'd otherwise have used ip:
[dns] lookup_ip = dnsLookup host OUTPUT ipaddress
For more information about search time field extraction, see "Add fields at search time" in this manual.
For more information about field lookups, see "Create field lookups from external data sources" in this manual.