Solved: csv lookup on aliased field

EricPartington · ‎10-08-2010

I am trying to setup a csv lookup for data enrichment on an Aliased field. original field name dstport aliased to dest_port (common info model name)

what field will work for the data lookup?

lookup_table = ProtocolLookup dstport OUTPUT app

or

lookup_table = ProtocolLookup dest_port OUTPUT app

with the CSV column name reflecting either dest_port or dstport

Lowell · ‎10-08-2010

I believe that field aliasing happens before lookups. So I would go with the common information model field names. If push come to shove, you can always use the "as" clause in your lookup, like:

lookup_table = ProtocolLookup dest_port as dstport OUTPUT app

View solution in original post

Lowell · ‎10-08-2010

I believe that field aliasing happens before lookups. So I would go with the common information model field names. If push come to shove, you can always use the "as" clause in your lookup, like:

lookup_table = ProtocolLookup dest_port as dstport OUTPUT app

EricPartington · ‎10-12-2010

thanks, original port works fine as the base for this CSV enrichment.

csv lookup on aliased field

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

csv lookup on aliased field

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience