Splunk Enterprise

Field alias/calculated field

VijaySrrie
Builder

Hi,

LOOKUP-asset_lookup = server_summary host OUTPUTNEW   serveros AS asset_os

I have a lookup where serveros is one of the field

asset_os is one of the enriched field from serveros

Now, I need one more field called os (for datamodelling) which is same as asset_os

I tried below but its not working out ( I need both asset_os and os field)

1) I tried asset_os as os in field alias --> didnt work

2) I created a calculated field, 
case(isnotnull(asset_os),asset_os,1==1,"unkown") - asset_os is not showing in fields

3) I added the below line into props.conf - Also here asset_os is not showing in fields

LOOKUP-asset_lookup1 = server_summary host OUTPUTNEW   serveros AS os 

Is there any other way I can get both asset_os and os field in the fields?

We cannot go for field extraction as the required field value is not available in logs, the value is taken from lookup table.

Labels (1)
0 Karma

VijaySrrie
Builder

@venkatasri 

lookup table field name -  serveros 

Field available in log - No fields available

asset_os field is the enriched field from lookup table (serveros)

I am in need of field called os (os field used for data modelling) 

os field can be enriched from the lookup table field - serveros, but when I do like that asset_os field is not showing.

I need a way to create a field called os which can be enriched from the lookup table field serveros,  without disturbing the already existing field asset_os

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  I am not quite understood yet.

Lookup table name - serveros ?

Field names in csv - asset_os, serveros

you want output - serveros AS os? along with asset_os ?

To enrich from CSV you should have some matching field in your event- you said 'No fields' meaning you just want to query the CSV and get the results using | inputlookup ? 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  Try this search UI from where you have access to lookup file. Do a inputlookup first to verify before.

| lookup server_summary host OUTPUTNEW serveros as os, asset_os

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

Can you describe little more easy, what fields you have in lookup table, and what fields in events and which one is a match to lookup field.

what your output would be?

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...