Creating Field Aliases and Calculated Fields

Question 1

What are field aliases?

Answer 1

Field aliases give you a way to normalize data over any default field (host, source, or sourcetype).

Question 2

What options are you given for applying a field alias to?

Answer 2

• Sourcetype
• Source
• Host

Question 3

True or False: Multiple aliases can be applied to a single field.

Answer 3

True, but it is not recommended.

Question 4

True or False: Field Aliases are added to the fields sidebar.

Answer 4

True

Question 5

True or False: When createing a field alias, the original field is affected.

Answer 5

False.

The original field is not affected.

Question 6

Where do a field alias and the original field appear in the fields list?

Answer 6

Both fields appear in the All Fields and Interesting Fields lists, if they appear in at least 20% of the events.

Question 7

In what order are the knowledge objects Field Aliases, Field Extractions, and Lookups applied?

Answer 7

Field Extractions, Field Aliases, Lookups

Question 8

When are field aliases applied?

Answer 8

After field extractions, before lookups.

Question 9

Are Field Aliases case sensitive?

Answer 9

Field aliases are also case sensitive as field names are case sensitive.

Question 10

True or False: Field aliases can be referenced by a lookup file.

Answer 10

True.