Solved: csv lookup on aliased field

EricPartington · ‎10-08-2010

I am trying to setup a csv lookup for data enrichment on an Aliased field. original field name dstport aliased to dest_port (common info model name)

what field will work for the data lookup?

lookup_table = ProtocolLookup dstport OUTPUT app

or

lookup_table = ProtocolLookup dest_port OUTPUT app

with the CSV column name reflecting either dest_port or dstport

Lowell · ‎10-08-2010

I believe that field aliasing happens before lookups. So I would go with the common information model field names. If push come to shove, you can always use the "as" clause in your lookup, like:

lookup_table = ProtocolLookup dest_port as dstport OUTPUT app

View solution in original post

Lowell · ‎10-08-2010

I believe that field aliasing happens before lookups. So I would go with the common information model field names. If push come to shove, you can always use the "as" clause in your lookup, like:

lookup_table = ProtocolLookup dest_port as dstport OUTPUT app

EricPartington · ‎10-12-2010

thanks, original port works fine as the base for this CSV enrichment.

csv lookup on aliased field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation