The correct answer is D. field2 values are replaced with the value of the field1.
A field alias is a way to associate an additional (new) name with an existing field name. A field alias can be used to normalize fields from different sources that have different names butrepresent the same data. Field aliases can also be used to rename fields for clarity or convenience1.
When you create a field alias in Splunk Web, you can select the Overwrite Field Values option to change the behavior of the field alias. This option affects how the Splunk software handles situations where the original field has no value or does not exist, as well as situations where the alias field already exists as a field in your events, alongside the original field2.
If you select the Overwrite Field Values option, the following rules apply:
If the original field does not exist or has no value in an event, the alias field is removed from that event.
If the original field and the alias field both exist in an event, the value of the alias field is replaced with the value of the original field.
If you do not select the Overwrite Field Values option, the following rules apply:
If the original field does not exist or has no value in an event, the alias field is unchanged in that event.
If the original field and the alias field both exist in an event, both fields are retained with their respective values.
Therefore, if you create a field alias where field1—field2 and select the Overwrite Field Values option, and an event only contains values for field1, then the value of field2 will be replaced with the value of field1.
[References:, About calculated fields, About field aliases, Create field aliases in Splunk Web, , , , , ]
