Splunk Field(s) of Dreams: How-to Create Calculated Fields and Aliases

Providing your organization with a user-friendly search and analytics experience is critical to improving the usability of data in Splunk. By creating field aliases and calculated fields in Splunk, users can query new fields with or without altering the original field. In this way, users can choose to:

  • Correct an original field name that is truncated, misspelled, or abbreviated
  • Correlate or aggregate a field with a similar field from a different sourcetype
  • Better describe the data in the field
  • Create a field to filter data
  • Confirm with the Common Information Model (CIM)

Define Field Alias vs Calculated Field

A field alias is an alternate name that can be assigned to a field. Multiple field aliases can be created for one field. A calculated field is a way to perform repetitive, long, or complex derivations from the calculation of one or more other fields.

Though both are search-time operations that make it easier to interact with your original data, the field alias takes precedence over the calculated field. Thus, a field alias cannot be created for fields that were created as a calculated field. Both can override an existing field with the new field. To create the field, the user can either add the field to the configuration file, props.conf, or add it from the Splunk Web GUI.

Create a Field Alias from Splunk Web

To create a field alias from Splunk Web, follow these steps:

  1. Locate a field within your search that you would like to alias.
  2. Select Settings > Fields.
  3. Select Field aliases > + Add New.
  4. Then, select the app that will use the field alias.
  5. Select host, source, or sourcetype to apply to the field alias and specify a name.
    1. Note: Enter a wildcard to apply the field to all hosts, sources, or sourcetypes.
  6. Enter the name for the existing field and the new alias.
    1. Note: The existing field should be on the left side, and the new alias should be on the right side.
    2. Note: Multiple field aliases can be added at one time.
  7. (Optional) Select Overwrite field values if you want your field alias to remove the field alias name when the original field does not exist or has no value, or replace the field alias name with the original field name when the field alias name already exists.
  8. Click Save.
Figure 1 - Field Alias from Splunk Web

Figure 1 – Field Alias from Splunk Web

Create a Calculated Field from Splunk Web

To create a calculated field from Splunk Web, follow these steps:

  1. Select Settings > Fields.
  2. Select Calculated Fields > + Add New.
  3. Then, select the app that will use the calculated field.
  4. Select host, source, or sourcetype to apply to the calculated field and specify a name.
    1. Note: Enter a wildcard to apply the field to all hosts, sources, or sourcetypes.
  5. Enter the name for the resultant calculated field.
  6. Define the eval expression.
Figure 2 - Calculated Field from Splunk Web

Figure 2 – Calculated Field from Splunk Web

However, one of the things to note is that when you create the field alias or calculated alias in the Splunk Web GUI, the field is saved in the /etc/system/local/props.conf configuration file. If you want the configuration file to live in the app associated with the data you are defining the field for, you have to save the field in the /etc/apps/<app_name_here>/local/props.conf configuration file.

Create a Field Alias or Calculated Field in props.conf

To create a field alias or a calculated field in props.conf:

  1. Navigate to /etc/apps/<app_name_here>/local/props.conf
  2. Open the file using an editor
  3. Locate or create the stanza associated with the host, source, or sourcetype to apply to the field alias or calculated field.
  4. Next, add the following line to a stanza:
[<stanza>]

FIELDALIAS-<class> = <orig_field_name> AS <new_field_name>

EVAL-<field_name> = <eval_statement>
    • <stanza> can be:
      1. host::<host>, where <host> is the host for an event.
      2. source::<source>, where <source> is the source for an event.
      3. <source type>, the source type of an event.
    • Field aliases must be defined with FIELDALIAS.
      1. Note: The term is not case sensitive and the hyphen is mandatory.
      2. <orig_field_name> is the original name of the field. It is case sensitive.
      3. <new_field_name> is the alias to assign to the field. It is case sensitive.
      4. Note: AS must be between the two names and multiple field aliases can be added to the same class.
    • Calculated fields must be defined with EVAL.
      1. Note: The term is not case sensitive and the hyphen is mandatory.
      2. <field_name> is the name of the calculated field. It is case sensitive.
      3. <eval_statement> is the expression that defines the calculated field. Much like the eval search command, it can be evaluated to any value type, including multi-value, boolean, or null.

Creating field aliases and calculated fields help make the data more versatile. By using both the original fields and the new fields, users can create knowledge objects that craft a visual story about what the data represents. A well-crafted data visualization can help users understand trends, patterns, and relationships. Making meaningful correlations will ultimately lead to making better decisions.

Need more Splunk Tips?

As a dedicated Splunk partner with a bench full of experts, we’ve gained valuable insights and understanding of the Splunk platform that can excel your business forward. When it comes to best practice methods, training, and solution delivery, we’ve developed service offerings that can help any organization exceed its Splunk goals. For Splunk tips like this post, check out our Expertise on Demand service offering. If you’re working on projects that require a larger scope and Splunk skills, see what our professional service offerings can deliver for you.

Start typing and press Enter to search