Creating Field Aliases and Calculated Fields Mod 9 Flashcards

1
Q

What are Field Aliases?

A

A way to normalize data over any default field (host, source or sourcetype)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can multiple aliases be applied to one field?

A

Yes they can

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When are Field Aliases applied?

A

After field extractions and before lookups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Can you apply field aliases to lookups?

A

Yes you can

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What would you do if you had several source types containing some type of username field?

A

You would create a Field Alias to make data correlation and searching easier, normailze the field(s)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How would you create a field alias?

A
  • Settings
  • Fields
  • Field Aliases
  • New Field Alias
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

After opening up a new Field Alias what would you do to finish?

A
  1. Select the app associated with the field alias
  2. Enter a name for the field alias
  3. Apply the field alias to a default field
    - host
    - source
    - sourcetype
  4. Enter the name for the existing field and the new alias
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

After you have created a field alias what should you do?

A

Test it! Perform a search using the new field alias

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When you create a new field alias is the original field affected?

A

No, the original field is not affected

- both fields appear in the all fields and interesting fields lists, if they appear in at least 20% of events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

After creating a field alias are you able to reference them in a lookup table?

A

Yes you can reference them in a lookup table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a calculated field?

A

Is a shortcut for performing repetitive, long, or complex transformations using the eval command and it must be based on an extracted field

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is not supported when using a calculated field?

A

Output fields from a lookup table or fields/columns generated from within a search string are not supported

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How would you create a calculated field?

A
  • Settings
  • Fields
  • Calculated Fields
  • New calculated Field
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

After opening up a new calculated field what do you do next?

A
  1. Select the app that will use the calculated field
  2. Select host, source, or sourceytpe to apply to the calculated field and specify the related name
  3. Name the calculated field
  4. Define the eval expression
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What happens after you have created a calculated field?

A

You can use it in a search like any other extracted field

How well did you know this?
1
Not at all
2
3
4
5
Perfectly