Solved: csv lookup on aliased field

EricPartington · ‎10-08-2010

I am trying to setup a csv lookup for data enrichment on an Aliased field. original field name dstport aliased to dest_port (common info model name)

what field will work for the data lookup?

lookup_table = ProtocolLookup dstport OUTPUT app

or

lookup_table = ProtocolLookup dest_port OUTPUT app

with the CSV column name reflecting either dest_port or dstport

Lowell · ‎10-08-2010

I believe that field aliasing happens before lookups. So I would go with the common information model field names. If push come to shove, you can always use the "as" clause in your lookup, like:

lookup_table = ProtocolLookup dest_port as dstport OUTPUT app

View solution in original post

Lowell · ‎10-08-2010

I believe that field aliasing happens before lookups. So I would go with the common information model field names. If push come to shove, you can always use the "as" clause in your lookup, like:

lookup_table = ProtocolLookup dest_port as dstport OUTPUT app

EricPartington · ‎10-12-2010

thanks, original port works fine as the base for this CSV enrichment.

csv lookup on aliased field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!