https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/560947#M6512 <P>Hi,</P><P>LOOKUP-asset_lookup = server_summary host OUTPUTNEW &nbsp;&nbsp;serveros AS asset_os</P><P>I have a lookup where serveros is one of the field</P><P>asset_os is one of the enriched field from serveros</P><P>Now, I need one more field called os (for datamodelling) which is same as asset_os</P><P>I tried below but its not working out ( I need both asset_os and os field)</P><P>1) I tried asset_os as os in field alias --&gt; didnt work</P><P>2) I created a calculated field,&nbsp;<BR />case(isnotnull(asset_os),asset_os,1==1,"unkown") - asset_os is not showing in fields</P><P>3) I added the below line into props.conf - Also here&nbsp;asset_os is not showing in fields</P><P>LOOKUP-asset_lookup1 = server_summary host OUTPUTNEW &nbsp;&nbsp;serveros AS&nbsp;os&nbsp;</P><P>Is there any other way I can get both asset_os and os field in the fields?</P><P>We cannot go for field extraction as the required field value is not available in logs, the value is taken from lookup table.</P> Tue, 27 Jul 2021 07:03:36 GMT VijaySrrie 2021-07-27T07:03:36Z https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/560947#M6512 <P>Hi,</P><P>LOOKUP-asset_lookup = server_summary host OUTPUTNEW &nbsp;&nbsp;serveros AS asset_os</P><P>I have a lookup where serveros is one of the field</P><P>asset_os is one of the enriched field from serveros</P><P>Now, I need one more field called os (for datamodelling) which is same as asset_os</P><P>I tried below but its not working out ( I need both asset_os and os field)</P><P>1) I tried asset_os as os in field alias --&gt; didnt work</P><P>2) I created a calculated field,&nbsp;<BR />case(isnotnull(asset_os),asset_os,1==1,"unkown") - asset_os is not showing in fields</P><P>3) I added the below line into props.conf - Also here&nbsp;asset_os is not showing in fields</P><P>LOOKUP-asset_lookup1 = server_summary host OUTPUTNEW &nbsp;&nbsp;serveros AS&nbsp;os&nbsp;</P><P>Is there any other way I can get both asset_os and os field in the fields?</P><P>We cannot go for field extraction as the required field value is not available in logs, the value is taken from lookup table.</P> Tue, 27 Jul 2021 07:03:36 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/560947#M6512 VijaySrrie 2021-07-27T07:03:36Z https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/560951#M6513 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164779">@VijaySrrie</a>&nbsp;</P><P>Can you describe little more easy, what fields you have in lookup table, and what fields in events and which one is a match to lookup field.</P><P>what your output would be?</P> Tue, 27 Jul 2021 07:22:46 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/560951#M6513 venkatasri 2021-07-27T07:22:46Z https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/561134#M6529 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163730">@venkatasri</a>&nbsp;</P><P>lookup table field name -&nbsp;&nbsp;<SPAN>serveros&nbsp;</SPAN></P><P>Field available in log - No fields available</P><P>asset_os field is the enriched field from lookup table (serveros)</P><P>I am in need of field called os (os field used for data modelling)&nbsp;</P><P>os field can be enriched from the lookup table field - serveros, but when I do like that asset_os field is not showing.</P><P>I need a way to create a field called os which can be enriched from the lookup table field serveros,&nbsp; without disturbing the already existing field asset_os</P><P>&nbsp;</P> Wed, 28 Jul 2021 03:26:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/561134#M6529 VijaySrrie 2021-07-28T03:26:55Z https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/561136#M6530 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164779">@VijaySrrie</a>&nbsp; I am not quite understood yet.</P><P>Lookup table name - serveros ?</P><P>Field names in csv - asset_os, serveros</P><P>you want output - serveros AS os? along with asset_os ?</P><P>To enrich from CSV you should have some matching field in your event- you said 'No fields' meaning you just want to query the CSV and get the results using | inputlookup ?&nbsp;</P> Wed, 28 Jul 2021 03:36:47 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/561136#M6530 venkatasri 2021-07-28T03:36:47Z https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/561138#M6531 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164779">@VijaySrrie</a>&nbsp; Try this search UI from where you have access to lookup file. Do a inputlookup first to verify before.</P><LI-CODE lang="markup">| lookup server_summary host OUTPUTNEW serveros as os, asset_os</LI-CODE><P>&nbsp;</P> Wed, 28 Jul 2021 03:52:00 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-alias-calculated-field/m-p/561138#M6531 venkatasri 2021-07-28T03:52:00Z