Module 9 Creating Field Aliases and Calculated Fields

Question 1

What do we use Field Aliases for?

Answer 1

to Normalise data over a default field (host, source or sourcetype)

Question 2

can Multiple Aliases be applied to one field?

Answer 2

Yes

Question 3

when are field aliases applied?

Answer 3

After field extractions and before lookups

Question 4

True or False

Field aliases can’t be applied to lookups

Answer 4

False

Question 5

Give a usage example for field extraction

Answer 5

Several devices have some type of username field
deviceA user, device username, DeviceC USER
we will create a UserName Filed alias

Question 6

where do we locate the field alias tool?

Answer 6

Settings > Fields > Field Aliases > New Field Alias

Question 7

when creating the field alias is the original field affected?

Answer 7

NO

Question 8

True or False

Field aliases can be referenced in a lookup table

Answer 8

True

Question 9

What is a calculated field?

Answer 9

shortcut for performing repetitive, long or complex transformations using the eval command.
Must be based on an extracted field

Question 10

where do you create a calculated field

Answer 10

Settings > Fields > Calculated Fields > New Calculated Field

Question 11

How does this look using the megabytes calculated field?
| eval megabytes = sc_bytes/(1024*1024)
| stats sum(megabytes) as Megabytes by usage
| sort Megabytes

Answer 11

| | sort Megabytes

stats sum(megabytes) as Megabytes by usage