Field Aliasing
Security Requirements and Controls
Change field aliases
permission
Available: Field Aliasing v1.124.0
Field aliasing is available from LogScale v1.124
Field aliasing allows to apply any data model at query time, simplifying query writing and making it easier to search and correlate data originating from different sources. This functionality allows assigning alternative names — or Aliases — to fields created at parse time.
With field aliasing, the search will produce results similar to adding
rename()
statements at the beginning of your queries
— however, using field aliasing instead of
rename()
will provide additional benefits:
Ease of use: field aliasing is applied to each query, to simplify query writing.
Performance: using field aliasing is more efficient than aliasing your fields with case-rename statements.
Flexibility:
As field aliasing is applied at search time, you can use it to query historical data.
No changes in the parser are required when you want to apply a new schema (that is, your list of common aliases).
Multiple application level for a variety of use cases and scenarios:
Entire organization — if your organization uses one schema, you can set it up as a default for all repositories and views, including any new repositories/views created in the future.
Selected repository/views — if you want to apply a schema to specific use cases only.
Warning
When a field is renamed to a field that already exists, the existing
field and its content is overwritten by the new aliased field. The same
happens when the field is renamed using the
rename()
function.
An example of field aliasing configured in the UI is depicted here:
Figure 85. Field Aliasing
Field aliasing configuration in LogScale is defined as a three-step process:
Create a new Schema. Schemas define a list of common aliases that you want to use in your queries.
Aliases can be used instead of, or in addition to the original fields.
Schemas can be applied on the organization or repository view level.
You can still use event fields in your searches that are not included in the schema for aliasing.
Create Field Alias Mappings. Mappings define rules on how to map original field names to the aliases specified in the schema. A mapping contains:
A pair of original (parsed) field name and its alias
A condition when to apply the alias to the event (based on tag fields).
Activate the schema for the entire organization or selected repositories/views.
The following figure represents the process:
Figure 86. Field Aliasing Process
See Configuring Field Aliasing for more details on how to create field aliasing in LogScale.