Field Aliasing

Security Requirements and Controls

  • Change field aliases permission

Field Aliasing allows to apply any data model at query time, simplifying query writing and making it easier to search and correlate data originating from different sources. This functionality allows assigning alternative names — or Aliases — to fields created at parse time.

With Field Aliasing, the search will produce results similar to adding rename() statements at the beginning of your queries — but using Field Aliasing instead will provide additional benefits:

  • Ease of use: Field Aliasing is applied to each query, to simplify query writing.

  • Performance: using Field Aliasing is more efficient than aliasing your fields with case-rename statements.

  • Flexibility:

    • As Field Aliasing is applied at search time, you can use it to query historical data.

    • No changes in the parser are required when you want to apply a new schema (i.e., your list of common aliases).

  • Multiple application level for a variety of use cases and scenarios:

    • Entire organization — if your organization uses one schema, you can set it up as a default for all repositories and views, including any new repositories/views created in the future.

    • Selected repository/views — if you want to apply a schema to specific use cases only.

An example of Field Aliasing configured in the User Interface is depicted here:

Field Aliasing

Figure 82. Field Aliasing


Field Aliasing configuration in LogScale is defined as a three-step process:

  1. Create a new Schema. Schemas define a list of common aliases that you want to use in your queries.

    • Aliases can be used instead of, or in addition to the original fields.

    • Schemas can be applied on the organization or repository view level.

    • You can still use event fields in your searches that are not included in the schema for aliasing.

  2. Create Field Alias Mappings. Mappings define rules on how to map original field names to the aliases specified in the schema. A mapping contains:

    • A pair of original (parsed) field name and its alias

    • A condition when to apply the alias to the event (based on tag fields).

  3. Activate the schema for the entire organization or selected repositories/views.

The figure below represents the process:

Field Aliasing Process

Figure 83. Field Aliasing Process


See Configuring Field Aliasing for more details on how to create Field Aliasing in the User Interface.