Solved: Is it possible to create a field alias on a lookup...

jmteo · ‎07-22-2018

Hi guys,

I am in the midst of trying to map the fields in my data to the splunk authentication CIM. However, I realised that I don't seem able to create a field alias on lookup output fields (eg. Interfaces [lookup output field] => App [CIM field]) {ie This field aliases don't show up}. Is it possible to create a field alias for mapping my lookup output field to the CIM model, and if there isn't, could I kindly request for your suggestion as to what I can do to map my lookup fields to the CIM Model? Thanks and have a pleasant day/evening ahead 🙂

FrankVl · ‎07-23-2018

You can do that straight in the lookup action, by writing the output side of the lookup as OUTPUT <output_field> AS <output_field_in_event>

View solution in original post

FrankVl · ‎07-23-2018

You can do that straight in the lookup action, by writing the output side of the lookup as OUTPUT <output_field> AS <output_field_in_event>

jmteo · ‎07-23-2018

Guess I overlooked that. Thanks 🙂

Is it possible to create a field alias on a lookup output field for mapping to the CIM model?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?