Alias give you a way to normalize data over multiple sources. You can assign one or more aliases to any extracted field, and apply to fields from a lookup table
We have "Splunk Enterprise knowledge objects include saved searches, event types, tags, field extractions, lookups, reports, alerts, data models, workflow actions, and fields." to choose from, which leaves `Field aliases` out (Source courtesy of Daniel9527: https://docs.splunk.com/Splexicon:Knowledgeobject)
Nevertheless, the only find in page match for "to normalize field names" is:
b. Create field aliases to normalize field names
More precise source: https://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtonormalizedataatsearchtime#b._Create_field_aliases_to_normalize_field_names
Field alias is number 5 in the table. Very important to learn by heart: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence
FX, Alias and Lookup. So here it would be option C only.
Ref: https://docs.splunk.com/Documentation/CIM/5.1.1/User/UsetheCIMtonormalizedataatsearchtime
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
NastyNutsu
4 months, 3 weeks agoSCARODJ
1 year, 2 months agoSCARODJ
1 year, 2 months agoDaniel9527
1 year, 3 months agoaarvee
1 year, 8 months ago