Splunk Enterprise

Field alias/calculated field

VijaySrrie
Builder

Hi,

LOOKUP-asset_lookup = server_summary host OUTPUTNEW   serveros AS asset_os

I have a lookup where serveros is one of the field

asset_os is one of the enriched field from serveros

Now, I need one more field called os (for datamodelling) which is same as asset_os

I tried below but its not working out ( I need both asset_os and os field)

1) I tried asset_os as os in field alias --> didnt work

2) I created a calculated field, 
case(isnotnull(asset_os),asset_os,1==1,"unkown") - asset_os is not showing in fields

3) I added the below line into props.conf - Also here asset_os is not showing in fields

LOOKUP-asset_lookup1 = server_summary host OUTPUTNEW   serveros AS os 

Is there any other way I can get both asset_os and os field in the fields?

We cannot go for field extraction as the required field value is not available in logs, the value is taken from lookup table.

Labels (1)
0 Karma

VijaySrrie
Builder

@venkatasri 

lookup table field name -  serveros 

Field available in log - No fields available

asset_os field is the enriched field from lookup table (serveros)

I am in need of field called os (os field used for data modelling) 

os field can be enriched from the lookup table field - serveros, but when I do like that asset_os field is not showing.

I need a way to create a field called os which can be enriched from the lookup table field serveros,  without disturbing the already existing field asset_os

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  I am not quite understood yet.

Lookup table name - serveros ?

Field names in csv - asset_os, serveros

you want output - serveros AS os? along with asset_os ?

To enrich from CSV you should have some matching field in your event- you said 'No fields' meaning you just want to query the CSV and get the results using | inputlookup ? 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  Try this search UI from where you have access to lookup file. Do a inputlookup first to verify before.

| lookup server_summary host OUTPUTNEW serveros as os, asset_os

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

Can you describe little more easy, what fields you have in lookup table, and what fields in events and which one is a match to lookup field.

what your output would be?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...